Issue creating an apk package to install company certs

[Conor-Behard333]

Hi,

I'm looking at using apko and melange as an alternative to docker. Normally in our dockerfiles we have to copy in any relevant company certs so that communicating with on-prem services is possible over https.

Usually done like: cp certs-location /usr/local/share/ca-certificates Update-ca-certificates

I've been stuck trying to do this using a custom apk.

I've been able to move the certs into the apko build, but update-ca-certificates command is not running so the company certs are not trusted.

I can shell into the container and then run update-ca-certificates manually (as root), which works. This is obviously not desired as I want it to be ran on build.

custom apk packagec config:

package:
  name: certs
  version: v0.1.0
  epoch: 0
  description: "certs"
  dependencies:
    runtime:

environment:
  contents:
    repositories:
      - https://dl-cdn.alpinelinux.org/alpine/edge/main
    packages:
      - busybox
      - ca-certificates

pipeline:
  - runs: |
      mkdir -p ${{targets.destdir}}/usr/local/share/ca-certificates
      cp ./certs/* ${{targets.destdir}}/usr/local/share/ca-certificates
      update-ca-certificates

apko yaml config:

contents:
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  repositories:
    - https://packages.wolfi.dev/os
    - "@local packages"
  packages:
    - cosign=2.2.4
    - vault=1.13.0
    - wolfi-base
    - certs@local
    - curl
    - busybox
    - ca-certificates

accounts:
  users:
    - username: base
      uid: 65532
      gid: 65532
  run-as: 65532

entrypoint:
  command: /bin/sh -l

archs:
  - x86_64

[Conor-Behard333]

Though adding a scriptlet would work but still does not work.

scriptlets:
    post-install: |
      #!/bin/busybox sh
      update-ca-certificates