suse-edge · one-horned-flying · Jan 31, 2025 · ipetrov117 · Feb 3, 2025 · one-horned-flying
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,9 @@
 # ----- EIB Builder Image -----
 FROM registry.suse.com/bci/golang:1.22-1.36.1
 
+COPY certificates/. /etc/pki/trust/anchors/
+RUN update-ca-certificates
+
 # Dependency uses by line
 # 1. Podman Go library
 RUN zypper install -y \
@@ -20,6 +23,9 @@ RUN --mount=type=cache,id=gomod,target=/go/pkg/mod \
 # ----- Deliverable Image -----
 FROM opensuse/leap:15.6
 
+COPY certificates/. /etc/pki/trust/anchors/
+RUN update-ca-certificates
+
 # Dependency uses by line
 # 1. ISO image building
 # 2. RAW image modification on x86_64 and aarch64

diff --git a/certificates/.gitignore b/certificates/.gitignore
@@ -0,0 +1 @@
+*
diff --git a/pkg/combustion/combustion.go b/pkg/combustion/combustion.go
@@ -41,7 +41,7 @@ type kubernetesArtefactDownloader interface {
 }
 
 type rpmResolver interface {
-	Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, outputDir string) (rpmDirPath string, pkgList []string, err error)
+	Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, certsPath, outputDir string) (rpmDirPath string, pkgList []string, err error)
 }
 
 type rpmRepoCreator interface {

diff --git a/pkg/combustion/rpm.go b/pkg/combustion/rpm.go
@@ -59,8 +59,10 @@ func (c *Combustion) configureRPMs(ctx *image.Context) ([]string, error) {
 		return nil, fmt.Errorf("creating rpm artefacts path: %w", err)
 	}
 
+	certsPath := filepath.Join(ctx.ImageConfigDir, certsConfigDir)
+
 	log.Audit("Resolving package dependencies...")
-	repoPath, pkgsList, err := c.RPMResolver.Resolve(packages, localRPMConfig, artefactsPath)
+	repoPath, pkgsList, err := c.RPMResolver.Resolve(packages, localRPMConfig, certsPath, artefactsPath)
 	if err != nil {
 		log.AuditComponentFailed(rpmComponentName)
 		return nil, fmt.Errorf("resolving rpm/package dependencies: %w", err)

diff --git a/pkg/combustion/rpm_test.go b/pkg/combustion/rpm_test.go
@@ -14,12 +14,12 @@ import (
 )
 
 type mockRPMResolver struct {
-	resolveFunc func(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, outputDir string) (rpmDir string, pkgList []string, err error)
+	resolveFunc func(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, certsPath, outputDir string) (rpmDir string, pkgList []string, err error)
 }
 
-func (m mockRPMResolver) Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, outputDir string) (rpmDir string, pkgList []string, err error) {
+func (m mockRPMResolver) Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, certsPath, outputDir string) (rpmDir string, pkgList []string, err error) {
 	if m.resolveFunc != nil {
-		return m.resolveFunc(packages, localRPMConfig, outputDir)
+		return m.resolveFunc(packages, localRPMConfig, certsPath, outputDir)
 	}
 
 	panic("not implemented")

diff --git a/pkg/rpm/resolver/resolver.go b/pkg/rpm/resolver/resolver.go
@@ -81,7 +81,7 @@ func New(workDir string, podman Podman, baseImageBuilder BaseResolverImageBuilde
 // - localRPMConfig - configuration for locally provided RPMs
 //
 // - outputDir - directory in which the resolver will create a directory containing the resolved rpms.
-func (r *Resolver) Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, outputDir string) (rpmDirPath string, pkgList []string, err error) {
+func (r *Resolver) Resolve(packages *image.Packages, localRPMConfig *image.LocalRPMConfig, certsPath, outputDir string) (rpmDirPath string, pkgList []string, err error) {
 	zap.L().Info("Resolving package dependencies...")
 
 	revert, err := mount.DisableDefaultMounts(r.overrideMountsPath)
@@ -98,7 +98,7 @@ func (r *Resolver) Resolve(packages *image.Packages, localRPMConfig *image.Local
 		return "", nil, fmt.Errorf("building base resolver image: %w", err)
 	}
 
-	if err = r.prepare(localRPMConfig, packages); err != nil {
+	if err = r.prepare(localRPMConfig, packages, certsPath); err != nil {
 		return "", nil, fmt.Errorf("generating context for the resolver image: %w", err)
 	}
 
@@ -122,7 +122,7 @@ func (r *Resolver) Resolve(packages *image.Packages, localRPMConfig *image.Local
 	return filepath.Join(outputDir, rpmRepoName), r.generatePKGInstallList(packages), nil
 }
 
-func (r *Resolver) prepare(localRPMConfig *image.LocalRPMConfig, packages *image.Packages) error {
+func (r *Resolver) prepare(localRPMConfig *image.LocalRPMConfig, packages *image.Packages, certsPath string) error {
 	zap.L().Info("Preparing resolver image context...")
 
 	buildContext := r.generateBuildContextPath()
@@ -136,6 +136,10 @@ func (r *Resolver) prepare(localRPMConfig *image.LocalRPMConfig, packages *image
 		}
 	}
 
+	if err := r.prepareCertificates(certsPath); err != nil {
+		return fmt.Errorf("preparing certificates for resolver image build: %w", err)
+	}
+
 	if err := r.writeRPMResolutionScript(localRPMConfig, packages); err != nil {
 		return fmt.Errorf("writing rpm resolution script: %w", err)
 	}
@@ -148,6 +152,29 @@ func (r *Resolver) prepare(localRPMConfig *image.LocalRPMConfig, packages *image
 	return nil
 }
 
+func (r *Resolver) prepareCertificates(certsPath string) error {
+	certsDest := r.generateCertificatePathInBuildContext()
+
+	if err := os.MkdirAll(certsDest, os.ModePerm); err != nil {
+		return fmt.Errorf("creating certificates dir %s: %w", certsDest, err)
+	}
+
+	if _, err := os.Stat(certsPath); os.IsNotExist(err) {
+		zap.S().Info("skipping certificates, no certificates provided")
+		return nil
+	}
+
+	if err := fileio.CopyFiles(certsPath, certsDest, ".crt", false, &fileio.NonExecutablePerms); err != nil {
+		return fmt.Errorf("copying crt files to %s: %w", certsDest, err)
+	}
+
+	if err := fileio.CopyFiles(certsPath, certsDest, ".pem", false, &fileio.NonExecutablePerms); err != nil {
+		return fmt.Errorf("copying pem files to %s: %w", certsDest, err)
+	}
+
+	return nil
+}
+
 func (r *Resolver) prepareLocalRPMs(localRPMConfig *image.LocalRPMConfig) error {
 	rpmDest := r.generateRPMPathInBuildContext()
 	if err := fileio.CopyFiles(localRPMConfig.RPMPath, rpmDest, ".rpm", false, &fileio.NonExecutablePerms); err != nil {
@@ -274,6 +301,11 @@ func (r *Resolver) generateBuildContextPath() string {
 	return filepath.Join(r.dir, "resolver-image-build")
 }
 
+// path to the certificates directory in the resolver build context, as seen in the EIB image
+func (r *Resolver) generateCertificatePathInBuildContext() string {
+	return filepath.Join(r.generateBuildContextPath(), "certificates")
+}
+
 // path to the rpms directory in the resolver build context, as seen in the EIB image
 func (r *Resolver) generateRPMPathInBuildContext() string {
 	return filepath.Join(r.generateBuildContextPath(), "rpms")

diff --git a/pkg/rpm/resolver/templates/Dockerfile.tpl b/pkg/rpm/resolver/templates/Dockerfile.tpl
@@ -16,6 +16,8 @@ COPY {{ .FromGPGPath }} {{ .ToGPGPath }}
 {{ end -}}
 {{ end }}
 
+COPY certificates/. /etc/pki/trust/anchors/
+
 RUN ./{{ .RPMResolutionScriptName }}
 
 CMD ["/bin/bash"]
diff --git a/pkg/rpm/resolver/templates/rpm-resolution.sh.tpl b/pkg/rpm/resolver/templates/rpm-resolution.sh.tpl
@@ -12,6 +12,8 @@ set -euo pipefail
 #  Arch         - sets the architecture of the rpm packages to pull
 #  EnableExtras - registers the SL-Micro-Extras repo for use in resolution
 
+update-ca-certificates -v
+
 {{ if ne .RegCode "" }}
 suseconnect -r {{ .RegCode }}
 {{ if $.EnableExtras -}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		*
Copy link Contributor ipetrov117 Feb 3, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Same as the comment above, can we remove this file and directory. EIB configurations should be done only from EIB's image configuration directory.