ca-certificates with node:10-alpine

[jthegedus]

Problem

I followed the node.js & Cloud Run example you have here and the resultant image was 300+MBs. Switching to node:10-alpine I than ran into this issue on deployment

failed to find environment variables: failed to execute cloud run request: Get https://us-central1-run.googleapis.com/apis/serving.knative.dev/v1alpha1/namespaces/project-id/revisions/service-name-00015: x509: certificate signed by unknown authority

Here is the Dockerfile

FROM node:10-alpine

ENV NODE_ENV=production
WORKDIR /urs/src/app

COPY package.json yarn.lock ./
RUN yarn install --production

COPY . ./
COPY --from=gcr.io/berglas/berglas:latest /bin/berglas /bin/berglas

ENTRYPOINT exec /bin/berglas exec -- yarn start

Expectations

I expected this to work without me needing to add ca-certificates as a package to the Docker image as it is contained within the Berglas image.

Temporary Solution

adding RUN apk add ca-certificates to my Dockerfile solved the issue and I get an image around 30MBs in size :tada:

Full example code here: https://github.com/jthegedus/firebase-gcp-examples/tree/master/gcp-cloudrun-berglas/helloService

Question

Are my assumptions incorrect here, or is this a bug with Berglas?

[sethvargo]

Berglas actually pulls in ca certs, but most people aren't running berglas as the base image :smile:. Usually you pull just the binary over.

This isn't a berglas issue, but rather an issue with alpine/thin images in general. They don't include the latest CA certificate bundles, so any outbound TLS requests will likely fail to verify. You can replicate this via curl or wget too.

Since it doesn't really make sense to bundle certificates into berglas, I'm going to say this is working as intended. However, I am going to add a note to the Dockerfile examples to help push people in the right direction if they switch the base image.

Thanks for trying Berglas, and thanks for opening an issue!

[jthegedus]

Thanks for the in-depth response, much appreciated :smile: