search

GoogleCloudPlatform / buildpacks

Builders and buildpacks designed to run on Google Cloud's container platforms
Apache License 2.0
967 stars 144 forks source link

Add ability to configure certificates #125

Open tummalah opened 3 years ago

tummalah commented 3 years ago

Testing out node project from SampleBuildpacks

pack build sample-node --path . --env GOOGLE_ENTRYPOINT="update-ca-certificates && no de web.js" latest: Pulling from buildpacks/builder Digest: sha256:a3dd3295f9999bb70de339521d948128a08600d87a5145206f0f4657acb30afc Status: Image is up to date for gcr.io/buildpacks/builder:latest v1: Pulling from buildpacks/gcp/run f5f4dd109182: Already exists 3eacd107a517: Already exists 3c2cba919283: Already exists 673131a4b146: Already exists 2d2536259990: Already exists Digest: sha256:38dc53d3db5d83581005f904f3291a0eb80477356ea7e6cce19580d03c051be8 Status: Downloaded newer image for gcr.io/buildpacks/gcp/run:v1 0.10.2: Pulling from buildpacksio/lifecycle Digest: sha256:c3a070ed0eaf8776b66f9f7c285469edccf5299b3283c453dd45699d58d78003 Status: Image is up to date for buildpacksio/lifecycle:0.10.2 ===> DETECTING [detector] 4 of 5 buildpacks participating [detector] google.nodejs.runtime 0.9.2 [detector] google.nodejs.npm 0.9.0 [detector] google.config.entrypoint 0.9.0 [detector] google.utils.label 0.0.1 ===> ANALYZING [analyzer] Restoring metadata for "google.nodejs.runtime:node" from app image [analyzer] Restoring metadata for "google.nodejs.npm:npm" from cache ===> RESTORING [restorer] Restoring data for "google.nodejs.runtime:node" from cache [restorer] Restoring data for "google.nodejs.npm:npm" from cache ===> BUILDING [builder] === Node.js - Runtime (google.nodejs.runtime@0.9.2) === [builder] Resolving Node.js version based on semver "12.11.0" [builder] -------------------------------------------------------------------------------- [builder] Running "curl --fail --show-error --silent --location --get --data-urlencode range=12.11.0 http://semver.io/node/resolve" [builder] 12.11.0Done "curl --fail --show-error --silent --location --get --data-ur..." (416.1317ms) [builder] Using resolved runtime version from package.json: 12.11.0 [builder] Runtime cache hit, skipping installation. [builder] === Node.js - NPM (google.nodejs.npm@0.9.0) === [builder] Dependencies cache hit, skipping installation. [builder] -------------------------------------------------------------------------------- [builder] Running "npm install --quiet (NODE_ENV=production)" [builder] npm WARN sample-node@0.0.1 No repository field. [builder] npm WARN sample-node@0.0.1 No license field. [builder] [builder] audited 52 packages in 0.874s [builder] found 0 vulnerabilities [builder] [builder] Done "npm install --quiet (NODE_ENV=production)" (1.3259173s) [builder] === Config - Entrypoint (google.config.entrypoint@0.9.0) === [builder] Using entrypoint from GOOGLE_ENTRYPOINT: update-ca-certificates && node web.js [builder] === Utils - Label Image (google.utils.label@0.0.1) === ===> EXPORTING [exporter] Reusing layer 'google.nodejs.runtime:node' [exporter] Reusing layer 'google.nodejs.npm:env' [exporter] Reusing 1/1 app layer(s) [exporter] Reusing layer 'launcher' [exporter] Reusing layer 'config' [exporter] Reusing layer 'process-types' [exporter] Adding label 'io.buildpacks.lifecycle.metadata' [exporter] Adding label 'io.buildpacks.build.metadata' [exporter] Adding label 'io.buildpacks.project.metadata' [exporter] Setting default process type 'web' [exporter] *** Images (6df6dfa2c7ad): [exporter] sample-node [exporter] Reusing cache layer 'google.nodejs.runtime:node' [exporter] Reusing cache layer 'google.nodejs.npm:npm' Successfully built image sample-node hemanth@a033615392053:~/buildpack-samples/sample-node$ docker run -it -ePORT=3000 -v /home/hemanth/buildpack-samples/sample-node/cel-eu-root.cer:/usr/local/share/ca-certificates/celesio.crt -p3000:3000 sample-node Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/celesio.pem': Permission denied

tummalah commented 3 years ago

Work around this issue with Node env flag. But, would be nice if CNB comes up with some spec. 

docker run -it -ePORT=3000  -eNODE_EXTRA_CA_CERTS=root.crt -p3000:3000 sample-node node web.js
briandealwis commented 3 years ago

@tummalah could you please describe your usecase: what are you trying to accomplish and why? Where do the certs come from? Are they replacements for installed certificates, or should they be added to the system's list?

tummalah commented 3 years ago

hi @briandealwis I was trying to install Enterprise root cert generated inside the Enterprise into the CA store of the runtime container. This is required because we are using custom CA certs and sometimes self signed certs. It would be nice if build pack support mounting the certs during runtime or during build time.

duxbuse commented 7 months ago

@briandealwis

My use case is similar, in order to run the builder without internet access, I would very much like to point to a local mirror as well as set my own corp certs in order to access the mirror