dockerfile: include CA certificates #1879
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Busybox does not include CA certificates by default, which causes https requests to fail during certificate verification. For instance, the Cilium CLI fails to retrieve the hem chart with the following error: looks like "https://helm.cilium.io" is not a valid chart repository or cannot be reached: Get "https://helm.cilium.io/index.yaml": tls: failed to verify certificate: x509: certificate signed by unknown authority Hence, let's propagate the CA certificates from the builder container. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Previously, the tunneling mode was specified through an extra config, which caused the CLI to override it with the autodetected value, causing a conflict (as the tunnel option is now deprecated). Let's fix this issue explicitly setting the routingMode (cilium#24561). Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
|
Successful run for the external workloads workflow: https://github.com/cilium/cilium-cli/actions/runs/5715701135/job/15485617703?pr=1880 (it needed to be tested separately since this PR is from a fork, and the workflow is run as |
|
Reviews are in, the failure is expected as the fix will take effect only once merged. Marking as ready to merge /cc @michi-covalent 🙏 |
giorio94
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Busybox does not include CA certificates by default, which causes https requests to fail during certificate verification. For instance, the Cilium CLI fails to retrieve the hem chart with the following error:
Hence, let's propagate the CA certificates from the builder container.
Note: this error did not show up previously because the helm charts were vendored inside the CLI binary, hence avoiding the need to contact an external website. The v1.14 one, instead, is not vendored (yet?), hence causing all workflows to fail due to the impossibility of reaching
helm.cilium.io.Additionally, the second commit fixes the external-workloads workflow, which is currently broken due to a conflict in the configured options.