Use alpine base image with individual ca cert files

Signed-off-by: Tamal Saha <[email protected]>
kubeops · May 24, 2024 · 8e31e4e · 8e31e4e
1 parent 83ecbfd
commit 8e31e4e
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 16 deletions.
diff --git a/Dockerfile.dbg b/Dockerfile.dbg
@@ -19,6 +19,10 @@ FROM {ARG_FROM}
 
 LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cacerts
 
+RUN set -x \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends apt-transport-https ca-certificates
+
 ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
 COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts
 COPY --from=centos /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-bundle.trust.crt

diff --git a/Dockerfile.in b/Dockerfile.in
@@ -19,6 +19,9 @@ FROM {ARG_FROM}
 
 LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cacerts
 
+RUN set -x \
+  && apk add --update ca-certificates
+
 ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
 COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts
 COPY --from=centos /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-bundle.trust.crt

diff --git a/Makefile b/Makefile
@@ -66,7 +66,8 @@ BIN_PLATFORMS    := $(DOCKER_PLATFORMS)
 OS   := $(if $(GOOS),$(GOOS),$(shell go env GOOS))
 ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 
-BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
+# BASEIMAGE_PROD ?= gcr.io/distroless/static-debian12
+BASEIMAGE_PROD   ?= alpine
 BASEIMAGE_DBG    ?= debian:bookworm
 
 IMAGE            := $(REGISTRY)/$(BIN)

diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go
@@ -333,23 +333,27 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir
 	}
 
 	payload := map[string]atomic_writer.FileProjection{}
-	entries, err := os.ReadDir(srcDir)
-	if err != nil {
-		return errors.Wrap(err, "error reading directory "+srcDir)
-	}
-	for _, entry := range entries {
-		name := entry.Name()
-		if entry.IsDir() ||
-			name == "ca-certificates.crt" ||
-			name == "ca-bundle.pem" {
-			continue
-		}
 
-		data, err := os.ReadFile(filepath.Join(srcDir, name))
+	switch osFamily {
+	case OsFamilyDebian, OsFamilyUbuntu, OsFamilyAlpine, OsFamilyOpensuse:
+		entries, err := os.ReadDir(srcDir)
 		if err != nil {
-			return err
+			return errors.Wrap(err, "error reading directory "+srcDir)
+		}
+		for _, entry := range entries {
+			name := entry.Name()
+			if entry.IsDir() ||
+				name == "ca-certificates.crt" ||
+				name == "ca-bundle.pem" {
+				continue
+			}
+
+			data, err := os.ReadFile(filepath.Join(srcDir, name))
+			if err != nil {
+				return err
+			}
+			payload[name] = atomic_writer.FileProjection{Data: data, Mode: 0o444}
 		}
-		payload[name] = atomic_writer.FileProjection{Data: data, Mode: 0o444}
 	}
 
 	var caBuf bytes.Buffer
@@ -372,7 +376,11 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir
 		if err != nil {
 			return err
 		}
-		payload[fmt.Sprintf("%d.pem", certId)] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444}
+
+		switch osFamily {
+		case OsFamilyDebian, OsFamilyUbuntu, OsFamilyAlpine, OsFamilyOpensuse:
+			payload[fmt.Sprintf("%d.pem", certId)] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444}
+		}
 
 		caBuf.Write(pemBuf.Bytes())
 	}