dockerfile: include CA certificates

Busybox does not include CA certificates by default, which causes https requests to fail during certificate verification. For instance, the Cilium CLI fails to retrieve the hem chart with the following error: looks like "https://helm.cilium.io" is not a valid chart repository or cannot be reached: Get "https://helm.cilium.io/index.yaml": tls: failed to verify certificate: x509: certificate signed by unknown authority Hence, let's propagate the CA certificates from the builder container. Signed-off-by: Marco Iorio <[email protected]>
cilium · Jul 31, 2023 · a6c9470 · a6c9470
1 parent d998d7f
commit a6c9470
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -5,12 +5,13 @@
 
 FROM docker.io/library/golang:1.20.4-alpine3.16@sha256:6469405d7297f82d56195c90a3270b0806ef4bd897aa0628477d9959ab97a577 as builder
 WORKDIR /go/src/github.com/cilium/cilium-cli
-RUN apk add --no-cache git make
+RUN apk add --no-cache git make ca-certificates
 COPY . .
 RUN make
 
 FROM docker.io/library/busybox:stable-glibc@sha256:7338d0c72c655d6534670ed72590cdc99afc9c559958c47eb3a5a17a7520a75c
 LABEL maintainer="[email protected]"
+COPY --from=builder /etc/ssl/certs /etc/ssl/certs
 COPY --from=builder /go/src/github.com/cilium/cilium-cli/cilium /usr/local/bin/cilium
 RUN ["wget", "-P", "/usr/local/bin", "https://dl.k8s.io/release/v1.23.6/bin/linux/amd64/kubectl"]
 RUN ["chmod", "+x", "/usr/local/bin/kubectl"]