Skip to content

Commit

Permalink
deployment: remove DST_Root_CA_X3 from docker images (pomerium#2677)
Browse files Browse the repository at this point in the history
  • Loading branch information
@travisgroth
travisgroth committed Oct 15, 2021
1 parent 7e15377 commit 4e4a161
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 0 deletions.
8 changes: 8 additions & 0 deletions .github/Dockerfile-release
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
ARG ARCH

# build our own root trust store from current stable
FROM debian:stable as casource
RUN apt-get update && apt-get install -y ca-certificates
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates


FROM busybox:latest as build
RUN touch /config.yaml

Expand All @@ -8,5 +15,6 @@ ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium
COPY pomerium* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT [ "/bin/pomerium" ]
CMD ["-config","/pomerium/config.yaml"]
8 changes: 8 additions & 0 deletions .github/workflows/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,11 +184,19 @@ jobs:
with:
Dockerfile: Dockerfile
ignore: DL3059
failure-threshold: error
- name: Hadolint - Debug
uses: hadolint/hadolint-action@v1.5.0
with:
Dockerfile: Dockerfile.debug
ignore: DL3059
failure-threshold: error
- name: Hadolint - Release
uses: hadolint/hadolint-action@v1.5.0
with:
Dockerfile: .github/Dockerfile-release
ignore: DL3059
failure-threshold: error
- name: build
run: docker build .

Expand Down
7 changes: 7 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,17 @@ RUN make build NAME=pomerium
RUN make build NAME=pomerium-cli
RUN touch /config.yaml

# build our own root trust store from current stable
FROM debian:stable as casource
RUN apt-get update && apt-get install -y ca-certificates
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

FROM gcr.io/distroless/base:debug
ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium
COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=casource /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT [ "/bin/pomerium" ]
CMD ["-config","/pomerium/config.yaml"]
2 changes: 2 additions & 0 deletions Dockerfile.debug
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ ENV AUTOCERT_DIR /data/autocert
WORKDIR /pomerium
# hadolint ignore=DL3018
RUN apk add --no-cache ca-certificates libc6-compat gcompat
# Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates
COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
COPY --from=build /config.yaml /pomerium/config.yaml
COPY --from=build /go/bin/dlv /bin
Expand Down

0 comments on commit 4e4a161

Please sign in to comment.