You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per the title. I think that when unable to extract certificates from the source image it makes more sense to throw an alert and fallback to "replace" functionality. The current failure feels unintuitive if someone is modifying an image where they haven't investigated what certificates may be embedded. I'm happy to make the changes and submit a PR but wanted to open the discussion first.
Current Flow:
Run incert to add certificates to an image with no certs (e.g. wolfi-base) incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certs
Incert fails Failed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote image
Think through error message and realize that your source must not have any certs.
Run incert without args, check the README, or whatever.
Notice the -replace-certs option.
Wonder why you have to replace something that doesn't exist.
Try it anyway.
Congratulate yourself for guessing correctly.
Desired Flow:
Run incert to add certificates to an image with no certs (e.g. wolfi-base) incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certs
Incert doesn't find source certificates, but falls back to "replace" functionality
You get a useful warning: Warning: Failed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote image. Generating new CA certificates file. If you believe this is a mistake re-run with -image-cert-path set to the correct location.
Rejoice in success or go back to figure out where the CA certs are loaded in your source image.
Alternative Desired Flow:
Run incert to add certificates to an image with no certs (e.g. wolfi-base) incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certs
Incert doesn't find source certificates and fails with a more useful message. Failed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote image. Run with -replace-certs to generate a new CA certificates file.
Re-run incert with the recommended flag.
Raise your fists in success and thank the incert team for including a more useful message.
The text was updated successfully, but these errors were encountered:
Per the title. I think that when unable to extract certificates from the source image it makes more sense to throw an alert and fallback to "replace" functionality. The current failure feels unintuitive if someone is modifying an image where they haven't investigated what certificates may be embedded. I'm happy to make the changes and submit a PR but wanted to open the discussion first.
Current Flow:
incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certsFailed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote imageDesired Flow:
incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certsWarning: Failed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote image. Generating new CA certificates file.If you believe this is a mistake re-run with -image-cert-path set to the correct location.Alternative Desired Flow:
incert -ca-certs-file ./corporate_forward_trust.crt -image-url cgr.dev/chainguard/grype:latest -dest-image-url localhost/grype:corp-certsFailed to extract CA certificates from image: failed to find /etc/ssl/certs/ca-certificates.crt in remote image. Run with -replace-certs to generate a new CA certificates file.The text was updated successfully, but these errors were encountered: