Use up-to-date ca-certificates during build (GoogleContainerTools#1580)

SihengCui · Feb 23, 2021 · 2d4db8e · 2d4db8e
1 parent adf5c7a
commit 2d4db8e
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 4,312 deletions.
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -52,12 +52,21 @@ RUN mkdir -p /kaniko/.docker
 COPY . .
 RUN make GOARCH=$(cat /goarch.txt)
 
+# Generate latest ca-certificates
+
+FROM debian:buster-slim AS certs
+
+RUN \
+  apt update && \
+  apt install -y ca-certificates && \
+  cat /etc/ssl/certs/* > /ca-certificates.crt
+
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
-COPY files/ca-certificates.crt /kaniko/ssl/certs/
+COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 COPY --from=0 /kaniko/.docker /kaniko/.docker
 COPY files/nsswitch.conf /etc/nsswitch.conf
 ENV HOME /root

diff --git a/deploy/Dockerfile_debug b/deploy/Dockerfile_debug
@@ -50,6 +50,15 @@ RUN mkdir -p /kaniko/.docker
 COPY . .
 RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch.txt) out/warmer
 
+# Generate latest ca-certificates
+
+FROM debian:buster-slim AS certs
+
+RUN \
+  apt update && \
+  apt install -y ca-certificates && \
+  cat /etc/ssl/certs/* > /ca-certificates.crt
+
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
@@ -61,7 +70,7 @@ COPY --from=busybox:1.32.0 /bin /busybox
 # Declare /busybox as a volume to get it automatically in the path to ignore
 VOLUME /busybox
 
-COPY files/ca-certificates.crt /kaniko/ssl/certs/
+COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 COPY --from=0 /kaniko/.docker /kaniko/.docker
 COPY files/nsswitch.conf /etc/nsswitch.conf
 ENV HOME /root

diff --git a/deploy/Dockerfile_slim b/deploy/Dockerfile_slim
@@ -29,10 +29,19 @@ COPY . .
 
 RUN make GOARCH=$(cat /goarch)
 
+# Generate latest ca-certificates
+
+FROM debian:buster-slim AS certs
+
+RUN \
+  apt update && \
+  apt install -y ca-certificates && \
+  cat /etc/ssl/certs/* > /ca-certificates.crt
+
 FROM scratch
 COPY --from=build_env /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
 COPY files/nsswitch.conf /etc/nsswitch.conf
-COPY files/ca-certificates.crt /kaniko/ssl/certs/
+COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 ENV HOME /root
 ENV USER root
 ENV PATH /usr/local/bin:/kaniko

diff --git a/deploy/Dockerfile_warmer b/deploy/Dockerfile_warmer
@@ -47,12 +47,21 @@ RUN mkdir -p /kaniko/.docker
 COPY . .
 RUN  make GOARCH=$(cat /goarch) out/warmer
 
+# Generate latest ca-certificates
+
+FROM debian:buster-slim AS certs
+
+RUN \
+  apt update && \
+  apt install -y ca-certificates && \
+  cat /etc/ssl/certs/* > /ca-certificates.crt
+
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
-COPY files/ca-certificates.crt /kaniko/ssl/certs/
+COPY --from=certs /ca-certificates.crt /kaniko/ssl/certs/
 COPY --from=0 /kaniko/.docker /kaniko/.docker
 COPY files/nsswitch.conf /etc/nsswitch.conf
 ENV HOME /root