accept certs from dir instead of .arg

Signed-off-by: Nianyu Shen <[email protected]>

.arg.template

@@ -8,7 +8,6 @@ ISO_NAME=palette-edge-installer
 ARCH=amd64
 HTTPS_PROXY=
 HTTP_PROXY=
-PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 CLUSTERCONFIG=spc.tgz
 CIS_HARDENING=false

Dockerfile

@@ -7,16 +7,23 @@ ARG HTTP_PROXY
 ARG HTTPS_PROXY
 ARG NO_PROXY
 
-COPY sc.cr[t] /tmp/sc.crt
-RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /etc/ssl/certs && \
+WORKDIR /certs
+COPY certs/ /certs/
+RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \
+    cp -f /certs/ /usr/local/share/ca-certificates/ && \
     update-ca-certificates; \
     fi 
-RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /usr/share/pki/trust/anchors && \
+RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \
+    cp -f /certs/ /tmp//usr/share/pki/trust/anchors/ && \
     update-ca-certificates; \
     fi
 
+RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \
+    cp -f /certs/ /etc/pki/ca-trust/source/anchors/ && \
+    update-ca-trust; \
+    fi
+RUN rm -rf /certs
+
 ########################### Add any other image customizations here #######################
 
 ####  Examples  ####

Earthfile

@@ -48,7 +48,6 @@ ARG NO_PROXY
 ARG http_proxy=${HTTP_PROXY}
 ARG https_proxy=${HTTPS_PROXY}
 ARG no_proxy=${NO_PROXY}
-ARG PROXY_CERT_PATH
 
 ARG UPDATE_KERNEL=false
 ARG ETCD_VERSION="v3.5.13"
@@ -173,10 +172,8 @@ build-provider-images-fips:
 
 BASE_ALPINE:
     COMMAND
-    IF [ ! -z $PROXY_CERT_PATH ]
-        COPY sc.crt /etc/ssl/certs
-        RUN update-ca-certificates
-    END
+    COPY --if-exists certs/ /etc/ssl/certs/
+    RUN update-ca-certificates
     RUN apk add curl
 
 iso-image-rootfs:
@@ -592,7 +589,7 @@ kairos-provider-image:
 
 # base build image used to create the base image for all other image types
 base-image:
-    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE --build-arg PROXY_CERT_PATH=$PROXY_CERT_PATH \ 
+    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE \ 
     --build-arg OS_DISTRIBUTION=$OS_DISTRIBUTION --build-arg OS_VERSION=$OS_VERSION \ 
     --build-arg HTTP_PROXY=$HTTP_PROXY --build-arg HTTPS_PROXY=$HTTPS_PROXY \
     --build-arg NO_PROXY=$NO_PROXY .
@@ -633,12 +630,6 @@ base-image:
             pro attach $UBUNTU_PRO_KEY
         END
 
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /etc/ssl/certs
-            RUN  update-ca-certificates
-        END
-
         RUN apt-get update && \
             apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y
 
@@ -677,11 +668,6 @@ base-image:
 
     # OS == Opensuse
     ELSE IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] && [ "$ARCH" = "amd64" ]
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /usr/share/pki/trust/anchors
-            RUN update-ca-certificates
-        END
         # Enable or Disable Kernel Updates
         IF [ "$UPDATE_KERNEL" = "false" ]
             RUN zypper al kernel-de*

README.md

@@ -129,8 +129,7 @@ cp .arg.template .arg
 | FIPS_ENABLED                | to generate FIPS compliant binaries. `true` or `false`                                                                                                                                                                                                                                                                                         | string  | `false`                  |
 | HTTP_PROXY                  | URL of the HTTP Proxy server to be used if needed (Optional)                                                                                                                                                                                                                                                                                   | string  |                          |
 | HTTPS_PROXY                 | URL of the HTTPS Proxy server to be used if needed (Optional)                                                                                                                                                                                                                                                                                  | string  |                          |
-| NO_PROXY                    | URLS that should be excluded from proxying (Optional)                                                                                                                                                                                                                                                                                          | string  |                          |
-| PROXY_CERT_PATH             | Absolute path of the SSL Proxy certificate in PEM format if needed (Optional)                                                                                                                                                                                                                                                                  | string  |                          |
+| NO_PROXY                    | URLS that should be excluded from proxying (Optional)                                                                                                                                                                                                                                                                                                                                                                                                                                                              | string  |                          |
 | UPDATE_KERNEL               | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider                                                                                                                                                                                                                                                   | boolean | `false`                  |
 | DISABLE_SELINUX             | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux                                                                                                                                                                                                                                                 | boolean | `true`                   |
 | CLUSTERCONFIG               | Path of the cluster config                                                                                                                                                                                                                                                                                                                     | string  |                          |

earthly.sh

@@ -11,12 +11,12 @@ function build_with_proxy() {
         docker stop earthly-buildkitd
     fi
     # start earthly buildkitd
-    docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION
+    docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION
     # Update the CA certificates in the container
     docker exec -it earthly-buildkitd update-ca-certificates
 
     # Run Earthly in Docker to create artifacts  Variables are passed from the .arg file
-    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
+    docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }
 
 function build_without_proxy() {

test/test-two-node.sh

@@ -65,7 +65,6 @@ ISO_NAME=palette-edge-installer
 ARCH=amd64
 HTTPS_PROXY=
 HTTP_PROXY=
-PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 EOF
 }