Skip to content

Commit

Permalink
document env var required for cacerts. add a test for ssl function.
Browse files Browse the repository at this point in the history
  • Loading branch information
@lazcamus
lazcamus committed Sep 24, 2024
1 parent 35a7d5a commit 960559c
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 0 deletions.
12 changes: 12 additions & 0 deletions distroless/private/cacerts.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,20 @@ cacerts(
package = "@ca-certificates//:data.tar.xz",
)
```
To use the generated certificate bundle for SSL, **you must set SSL_CERT_FILE in the
environment**. You can set it on the oci image like so:
```starlark
oci_image(
name = "my-image",
env = {
"SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt",
}
)
```
"""


def _cacerts_impl(ctx):
bsdtar = ctx.toolchains[tar_lib.TOOLCHAIN_TYPE]

Expand Down
11 changes: 11 additions & 0 deletions docs/rules.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions examples/debian_snapshot/BUILD.bazel
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ PACKAGES = [
"@bullseye//dpkg",
"@bullseye//apt",
"@bullseye//perl",
"@bullseye//openssl",
"@bullseye//nvidia-kernel-common",
]

Expand Down Expand Up @@ -104,6 +105,10 @@ oci_image(
for package in PACKAGES
],
}),
env = {
# Required to use the SSL certs from `cacerts()`
"SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt",
}
)

oci_load(
Expand Down
4 changes: 4 additions & 0 deletions examples/debian_snapshot/test_linux_amd64.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,7 @@ commandTests:
command: "head"
args: ["-1", "/etc/ssl/certs/ca-certificates.crt"]
expectedOutput: [-----BEGIN CERTIFICATE-----]
- name: "in depth ca-certs check"
command: "/usr/bin/openssl"
args: ["s_client", "-connect", "www.google.com:443"]
expectedOutput: ["Verify return code: 0 .ok."]
4 changes: 4 additions & 0 deletions examples/debian_snapshot/test_linux_arm64.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,7 @@ commandTests:
command: "head"
args: ["-1", "/etc/ssl/certs/ca-certificates.crt"]
expectedOutput: [-----BEGIN CERTIFICATE-----]
- name: "in depth ca-certs check"
command: "/usr/bin/openssl"
args: ["s_client", "-connect", "www.google.com:443"]
expectedOutput: ["Verify return code: 0 .ok."]

0 comments on commit 960559c

Please sign in to comment.