From 74215c43e7fa580fcdb0571654e5e24f6000430b Mon Sep 17 00:00:00 2001
From: Yaguang Tang <heut2008@gmail.com>
Date: Thu, 23 Jan 2025 00:01:45 +0800
Subject: [PATCH] Install ca-certificates in the buildx image
Buildx image building (for multiarch support) requires us to set up CA
certificates that are trusted by the image for access to the
registr(y|ies). The buildx image switched to alpine at some point which
doesn't include the update-ca-certificates command we were depending on
for this by default. Install that package so that we can
update-ca-certificates and trust the registr(y|ies).
Note that there may be a better way via buildkitd.toml configuration
files that allow us to configure certs upfront and have the image set
them up for us. This is documented in a todo as a future action we can
investigate.
Change-Id: Ied0b8e81ed6a7a15ea2def26b85b933223cb42e6
---
roles/build-container-image/tasks/setup-buildx.yaml | 8 ++++++++
roles/build-docker-image/tasks/setup-buildx.yaml | 8 ++++++++
2 files changed, 16 insertions(+)
diff --git a/roles/build-container-image/tasks/setup-buildx.yaml b/roles/build-container-image/tasks/setup-buildx.yaml
index 546a9acf7..a55c9b0e4 100644
--- a/roles/build-container-image/tasks/setup-buildx.yaml
+++ b/roles/build-container-image/tasks/setup-buildx.yaml
@@ -2,6 +2,10 @@
command: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
when: ansible_architecture == 'x86_64'
+# TODO(clarkb) Use buildkitd.toml configuration to add certifications. That
+# may allow us to drop the ca-certificates install and update-ca-certificates
+# step below. More info here:
+# https://docs.docker.com/reference/cli/docker/buildx/create/#buildkitd-config
- name: Create builder
command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
when: inventory_hostname == ansible_play_hosts[0]
@@ -37,6 +41,10 @@
mode: preserve
when: buildset_registry is defined and buildset_registry.cert
+- name: Install CA certs in worker container
+ command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} apk add --no-cache ca-certificates"
+ when: buildset_registry is defined and buildset_registry.cert
+
- name: Copy buildset registry TLS cert into worker container
command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
when: buildset_registry is defined and buildset_registry.cert
diff --git a/roles/build-docker-image/tasks/setup-buildx.yaml b/roles/build-docker-image/tasks/setup-buildx.yaml
index f2fefbe14..241bffe81 100644
--- a/roles/build-docker-image/tasks/setup-buildx.yaml
+++ b/roles/build-docker-image/tasks/setup-buildx.yaml
@@ -4,6 +4,10 @@
DOCKER_CLI_EXPERIMENTAL: enabled
when: ansible_architecture == 'x86_64'
+# TODO(clarkb) Use buildkitd.toml configuration to add certifications. That
+# may allow us to drop the ca-certificates install and update-ca-certificates
+# step below. More info here:
+# https://docs.docker.com/reference/cli/docker/buildx/create/#buildkitd-config
- name: Create builder
command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
environment:
@@ -47,6 +51,10 @@
mode: preserve
when: buildset_registry is defined and buildset_registry.cert
+- name: Install CA certs in worker container
+ command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} apk add --no-cache ca-certificates"
+ when: buildset_registry is defined and buildset_registry.cert
+
- name: Copy buildset registry TLS cert into worker container
command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
when: buildset_registry is defined and buildset_registry.cert