From 2c5e5187305695c5dad30a3a16abebd30979e8ae Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:26:15 -0700 Subject: [PATCH] accept certs from dir instead of .arg Signed-off-by: Nianyu Shen --- .arg.template | 1 - Dockerfile | 17 ++++++++++++----- Earthfile | 20 +++----------------- README.md | 3 +-- earthly.sh | 4 ++-- test/test-two-node.sh | 1 - 6 files changed, 18 insertions(+), 28 deletions(-) diff --git a/.arg.template b/.arg.template index da6e377..cd2770e 100644 --- a/.arg.template +++ b/.arg.template @@ -8,7 +8,6 @@ ISO_NAME=palette-edge-installer ARCH=amd64 HTTPS_PROXY= HTTP_PROXY= -PROXY_CERT_PATH= UPDATE_KERNEL=false CLUSTERCONFIG=spc.tgz CIS_HARDENING=false diff --git a/Dockerfile b/Dockerfile index db0dbf3..738030c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,16 +7,23 @@ ARG HTTP_PROXY ARG HTTPS_PROXY ARG NO_PROXY -COPY sc.cr[t] /tmp/sc.crt -RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \ - cp /tmp/sc.crt /etc/ssl/certs && \ +WORKDIR /certs +COPY certs/ /certs/ +RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \ + cp -f /certs/ /usr/local/share/ca-certificates/ && \ update-ca-certificates; \ fi -RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \ - cp /tmp/sc.crt /usr/share/pki/trust/anchors && \ +RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \ + cp -f /certs/ /tmp//usr/share/pki/trust/anchors/ && \ update-ca-certificates; \ fi +RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \ + cp -f /certs/ /etc/pki/ca-trust/source/anchors/ && \ + update-ca-trust; \ + fi +RUN rm -rf /certs + ########################### Add any other image customizations here ####################### #### Examples #### diff --git a/Earthfile b/Earthfile index 675f633..4d35027 100644 --- a/Earthfile +++ b/Earthfile @@ -48,7 +48,6 @@ ARG NO_PROXY ARG http_proxy=${HTTP_PROXY} ARG https_proxy=${HTTPS_PROXY} ARG no_proxy=${NO_PROXY} -ARG PROXY_CERT_PATH ARG UPDATE_KERNEL=false ARG ETCD_VERSION="v3.5.13" @@ -173,10 +172,8 @@ build-provider-images-fips: BASE_ALPINE: COMMAND - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates - END + COPY --if-exists certs/ /etc/ssl/certs/ + RUN update-ca-certificates RUN apk add curl iso-image-rootfs: @@ -592,7 +589,7 @@ kairos-provider-image: # base build image used to create the base image for all other image types base-image: - FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE --build-arg PROXY_CERT_PATH=$PROXY_CERT_PATH \ + FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE \ --build-arg OS_DISTRIBUTION=$OS_DISTRIBUTION --build-arg OS_VERSION=$OS_VERSION \ --build-arg HTTP_PROXY=$HTTP_PROXY --build-arg HTTPS_PROXY=$HTTPS_PROXY \ --build-arg NO_PROXY=$NO_PROXY . @@ -633,12 +630,6 @@ base-image: pro attach $UBUNTU_PRO_KEY END - # Add proxy certificate if present - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates - END - RUN apt-get update && \ apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y @@ -677,11 +668,6 @@ base-image: # OS == Opensuse ELSE IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] && [ "$ARCH" = "amd64" ] - # Add proxy certificate if present - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /usr/share/pki/trust/anchors - RUN update-ca-certificates - END # Enable or Disable Kernel Updates IF [ "$UPDATE_KERNEL" = "false" ] RUN zypper al kernel-de* diff --git a/README.md b/README.md index 4664dbc..a5d3bae 100644 --- a/README.md +++ b/README.md @@ -129,8 +129,7 @@ cp .arg.template .arg | FIPS_ENABLED | to generate FIPS compliant binaries. `true` or `false` | string | `false` | | HTTP_PROXY | URL of the HTTP Proxy server to be used if needed (Optional) | string | | | HTTPS_PROXY | URL of the HTTPS Proxy server to be used if needed (Optional) | string | | -| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | -| PROXY_CERT_PATH | Absolute path of the SSL Proxy certificate in PEM format if needed (Optional) | string | | +| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | | UPDATE_KERNEL | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider | boolean | `false` | | DISABLE_SELINUX | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux | boolean | `true` | | CLUSTERCONFIG | Path of the cluster config | string | | diff --git a/earthly.sh b/earthly.sh index a9ff8a2..fd8bb37 100755 --- a/earthly.sh +++ b/earthly.sh @@ -11,12 +11,12 @@ function build_with_proxy() { docker stop earthly-buildkitd fi # start earthly buildkitd - docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION + docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION # Update the CA certificates in the container docker exec -it earthly-buildkitd update-ca-certificates # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { diff --git a/test/test-two-node.sh b/test/test-two-node.sh index c84607e..dd0c259 100755 --- a/test/test-two-node.sh +++ b/test/test-two-node.sh @@ -65,7 +65,6 @@ ISO_NAME=palette-edge-installer ARCH=amd64 HTTPS_PROXY= HTTP_PROXY= -PROXY_CERT_PATH= UPDATE_KERNEL=false EOF }