feat(privateCA): standalone Docker image created for CA certificate i…

…njection As the installing `openssl` package was violating `runAsNonRoot` rule privacy context, a standalone Docker image created make those package(s) pre-installed.
Substra · Sep 5, 2023 · 7ed9742 · 7ed9742
1 parent 2ef40a3
commit 7ed9742
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 20 deletions.
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -21,7 +21,11 @@ jobs:
     uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main
     with:
       image: substra-backend
-
+  ca-cert-injector:
+    uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main
+    with:
+      image: substra-backend-ca-cert-injector
+      image-folder: ca-cert-injector
   metrics-exporter:
     uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main
     with:

diff --git a/charts/substra-backend/templates/deployment-api-events.yaml b/charts/substra-backend/templates/deployment-api-events.yaml
@@ -97,10 +97,6 @@ spec:
           command: ['sh', '-c']
           args:
           - |
-            {{- if .Values.privateCa.image.apkAdd }}
-            apt update
-            apt install -y ca-certificates openssl
-            {{- end }}
             update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/
           volumeMounts:
             - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }}

diff --git a/charts/substra-backend/templates/deployment-server.yaml b/charts/substra-backend/templates/deployment-server.yaml
@@ -176,10 +176,6 @@ spec:
         command: ['sh', '-c']
         args:
         - |
-          {{- if .Values.privateCa.image.apkAdd }}
-          apt update
-          apt install -y ca-certificates openssl
-          {{- end }}
           update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/
         volumeMounts:
           - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }}

diff --git a/charts/substra-backend/templates/deployment-worker-events.yaml b/charts/substra-backend/templates/deployment-worker-events.yaml
@@ -97,10 +97,6 @@ spec:
           command: ['sh', '-c']
           args:
           - |
-            {{- if .Values.privateCa.image.apkAdd }}
-            apt update
-            apt install -y ca-certificates openssl
-            {{- end }}
             update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/
           volumeMounts:
             - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }}

diff --git a/charts/substra-backend/templates/statefulset-worker.yaml b/charts/substra-backend/templates/statefulset-worker.yaml
@@ -67,10 +67,6 @@ spec:
         command: ['sh', '-c']
         args:
         - |
-          {{- if .Values.privateCa.image.apkAdd }}
-          apt update
-          apt install -y ca-certificates openssl
-          {{- end }}
           update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/
         volumeMounts:
           - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }}

diff --git a/charts/substra-backend/values.yaml b/charts/substra-backend/values.yaml
@@ -22,10 +22,14 @@ privateCa:
   ## @param privateCa.image.apkAdd Install the update-ca-certificates package
   ##
   image:
-    repository: ubuntu
-    tag: latest
+    registry: ghcr.io
+    repository: substra-backend-ca-cert-injector
+    tag: null
     pullPolicy: IfNotPresent
-    apkAdd: true
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be created manually in the namespace.
+    ##
+    pullSecrets: []
   ## @param privateCa.configMap.name Name of the _ConfigMap_ containing the private CA certificate
   ## @param privateCa.configMap.data Certificate to add in the _ConfigMap_
   ## @param privateCa.configMap.fileName Certificate filename in the _ConfigMap_

diff --git a/docker/ca-cert-injector/Dockerfile b/docker/ca-cert-injector/Dockerfile
@@ -0,0 +1,3 @@
+FROM ubuntu:latest
+
+RUN apt-get update && apt-get install -y ca-certificates openssl
diff --git a/skaffold.yaml b/skaffold.yaml
@@ -16,6 +16,10 @@ build:
           strip: backend/
       docker:
         dockerfile: docker/substra-backend/Dockerfile
+    - image: substra/ca-cert-injector
+      context: .
+      docker:
+        dockerfile: docker/ca-cert-injector/Dockerfile
 
 deploy:
   helm: