From 7ed97421cdc960715805cd9603f1817799a41746 Mon Sep 17 00:00:00 2001 From: Kaan Yagci Date: Tue, 5 Sep 2023 11:27:31 +0200 Subject: [PATCH] feat(privateCA): standalone Docker image created for CA certificate injection As the installing `openssl` package was violating `runAsNonRoot` rule privacy context, a standalone Docker image created make those package(s) pre-installed. --- .github/workflows/docker-build.yaml | 6 +++++- .../templates/deployment-api-events.yaml | 4 ---- .../substra-backend/templates/deployment-server.yaml | 4 ---- .../templates/deployment-worker-events.yaml | 4 ---- .../substra-backend/templates/statefulset-worker.yaml | 4 ---- charts/substra-backend/values.yaml | 10 +++++++--- docker/ca-cert-injector/Dockerfile | 3 +++ skaffold.yaml | 4 ++++ 8 files changed, 19 insertions(+), 20 deletions(-) create mode 100644 docker/ca-cert-injector/Dockerfile diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index e38236755..2b6d445a3 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -21,7 +21,11 @@ jobs: uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main with: image: substra-backend - + ca-cert-injector: + uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main + with: + image: substra-backend-ca-cert-injector + image-folder: ca-cert-injector metrics-exporter: uses: substra/substra-gha-workflows/.github/workflows/docker-build.yaml@main with: diff --git a/charts/substra-backend/templates/deployment-api-events.yaml b/charts/substra-backend/templates/deployment-api-events.yaml index bef68cb44..eb61e0116 100644 --- a/charts/substra-backend/templates/deployment-api-events.yaml +++ b/charts/substra-backend/templates/deployment-api-events.yaml @@ -97,10 +97,6 @@ spec: command: ['sh', '-c'] args: - | - {{- if .Values.privateCa.image.apkAdd }} - apt update - apt install -y ca-certificates openssl - {{- end }} update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/ volumeMounts: - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }} diff --git a/charts/substra-backend/templates/deployment-server.yaml b/charts/substra-backend/templates/deployment-server.yaml index 45a3ab58a..5090386cc 100644 --- a/charts/substra-backend/templates/deployment-server.yaml +++ b/charts/substra-backend/templates/deployment-server.yaml @@ -176,10 +176,6 @@ spec: command: ['sh', '-c'] args: - | - {{- if .Values.privateCa.image.apkAdd }} - apt update - apt install -y ca-certificates openssl - {{- end }} update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/ volumeMounts: - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }} diff --git a/charts/substra-backend/templates/deployment-worker-events.yaml b/charts/substra-backend/templates/deployment-worker-events.yaml index 34e948467..b7d3f8812 100644 --- a/charts/substra-backend/templates/deployment-worker-events.yaml +++ b/charts/substra-backend/templates/deployment-worker-events.yaml @@ -97,10 +97,6 @@ spec: command: ['sh', '-c'] args: - | - {{- if .Values.privateCa.image.apkAdd }} - apt update - apt install -y ca-certificates openssl - {{- end }} update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/ volumeMounts: - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }} diff --git a/charts/substra-backend/templates/statefulset-worker.yaml b/charts/substra-backend/templates/statefulset-worker.yaml index 05efc9b61..366ea6204 100644 --- a/charts/substra-backend/templates/statefulset-worker.yaml +++ b/charts/substra-backend/templates/statefulset-worker.yaml @@ -67,10 +67,6 @@ spec: command: ['sh', '-c'] args: - | - {{- if .Values.privateCa.image.apkAdd }} - apt update - apt install -y ca-certificates openssl - {{- end }} update-ca-certificates && cp /etc/ssl/certs/* /tmp/certs/ volumeMounts: - mountPath: /usr/local/share/ca-certificates/{{ .Values.privateCa.configMap.fileName }} diff --git a/charts/substra-backend/values.yaml b/charts/substra-backend/values.yaml index e0cef4db6..27c0ae8fb 100644 --- a/charts/substra-backend/values.yaml +++ b/charts/substra-backend/values.yaml @@ -22,10 +22,14 @@ privateCa: ## @param privateCa.image.apkAdd Install the update-ca-certificates package ## image: - repository: ubuntu - tag: latest + registry: ghcr.io + repository: substra-backend-ca-cert-injector + tag: null pullPolicy: IfNotPresent - apkAdd: true + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be created manually in the namespace. + ## + pullSecrets: [] ## @param privateCa.configMap.name Name of the _ConfigMap_ containing the private CA certificate ## @param privateCa.configMap.data Certificate to add in the _ConfigMap_ ## @param privateCa.configMap.fileName Certificate filename in the _ConfigMap_ diff --git a/docker/ca-cert-injector/Dockerfile b/docker/ca-cert-injector/Dockerfile new file mode 100644 index 000000000..b053a9072 --- /dev/null +++ b/docker/ca-cert-injector/Dockerfile @@ -0,0 +1,3 @@ +FROM ubuntu:latest + +RUN apt-get update && apt-get install -y ca-certificates openssl diff --git a/skaffold.yaml b/skaffold.yaml index b57fe9d4d..64986f4b8 100644 --- a/skaffold.yaml +++ b/skaffold.yaml @@ -16,6 +16,10 @@ build: strip: backend/ docker: dockerfile: docker/substra-backend/Dockerfile + - image: substra/ca-cert-injector + context: . + docker: + dockerfile: docker/ca-cert-injector/Dockerfile deploy: helm: