fix(cnbBuild): customTlsCertificateLinks causes permission denied error (#3159)

This is because the cnb builder images usually don't run as root user. As a workaround we: - Copied the system truststore to a tmp-file - Added the certificates to the tmp-file - Set the `SSL_CERT_FILE` environment variable Co-authored-by: Philipp Stehle <philipp.stehle@sap.com> Co-authored-by: Sumit Kulhadia <sumit.kulhadia@sap.com>
2025-01-30 05:59:39 +02:00 · 2021-10-07 16:04:20 +02:00 · 2021-10-07 16:04:20 +02:00 · ec420b9dd0
commit ec420b9dd0
parent 6f13d6078d
2 changed files with 31 additions and 2 deletions
--- a/cmd/cnbBuild.go
+++ b/cmd/cnbBuild.go
@ -302,10 +302,16 @@ func runCnbBuild(config *cnbBuildOptions, telemetryData *telemetry.CustomData, u
 	}

 	if len(config.CustomTLSCertificateLinks) > 0 {
-		err := certutils.CertificateUpdate(config.CustomTLSCertificateLinks, httpClient, utils, "/etc/ssl/certs/ca-certificates.crt")
+		caCertificates := "/tmp/ca-certificates.crt"
+		_, err := utils.Copy("/etc/ssl/certs/ca-certificates.crt", caCertificates)
+		if err != nil {
+			return errors.Wrap(err, "failed to copy certificates")
+		}
+		err = certutils.CertificateUpdate(config.CustomTLSCertificateLinks, httpClient, utils, caCertificates)
 		if err != nil {
 			return errors.Wrap(err, "failed to update certificates")
 		}
+		utils.AppendEnv([]string{fmt.Sprintf("SSL_CERT_FILE=%s", caCertificates)})
 	} else {
 		log.Entry().Info("skipping updation of certificates")
 	}
--- a/cmd/cnbBuild_test.go
+++ b/cmd/cnbBuild_test.go
@ -126,6 +126,7 @@ func TestRunCnbBuild(t *testing.T) {
 		defer server.Close()

 		caCertsFile := "/etc/ssl/certs/ca-certificates.crt"
+		caCertsTmpFile := "/tmp/ca-certificates.crt"
 		registry := "some-registry"
 		config := cnbBuildOptions{
 			ContainerImageName:        "my-image",
@ -144,13 +145,14 @@ func TestRunCnbBuild(t *testing.T) {
 		err := runCnbBuild(&config, &telemetry.CustomData{}, &utils, &commonPipelineEnvironment, &piperhttp.Client{})
 		assert.NoError(t, err)

-		result, err := utils.FilesMock.FileRead(caCertsFile)
+		result, err := utils.FilesMock.FileRead(caCertsTmpFile)
 		assert.NoError(t, err)
 		assert.Equal(t, "test\ntestCert\ntestCert\n", string(result))

 		assert.NoError(t, err)
 		runner := utils.ExecMockRunner
 		assert.Contains(t, runner.Env, "CNB_REGISTRY_AUTH={\"my-registry\":\"Basic dXNlcjpwYXNz\"}")
+		assert.Contains(t, runner.Env, fmt.Sprintf("SSL_CERT_FILE=%s", caCertsTmpFile))
 		assert.Equal(t, "/cnb/lifecycle/detector", runner.Calls[0].Exec)
 		assert.Equal(t, "/cnb/lifecycle/builder", runner.Calls[1].Exec)
 		assert.Equal(t, "/cnb/lifecycle/exporter", runner.Calls[2].Exec)
@ -211,4 +213,25 @@ func TestRunCnbBuild(t *testing.T) {
 		err := runCnbBuild(&config, nil, &utils, &commonPipelineEnvironment, &piperhttp.Client{})
 		assert.EqualError(t, err, "the provided dockerImage is not a valid builder")
 	})
+
+	t.Run("error case: builder image does not contain tls certificates", func(t *testing.T) {
+		t.Parallel()
+
+		registry := "some-registry"
+		config := cnbBuildOptions{
+			ContainerImageName:        "my-image",
+			ContainerImageTag:         "0.0.1",
+			ContainerRegistryURL:      registry,
+			DockerConfigJSON:          "/path/to/config.json",
+			Buildpacks:                []string{"test"},
+			CustomTLSCertificateLinks: []string{"http://example.com/certs.pem"},
+		}
+
+		utils := newCnbBuildTestsUtils()
+		utils.FilesMock.AddFile(config.DockerConfigJSON, []byte(`{"auths":{"my-registry":{"auth":"dXNlcjpwYXNz"}}}`))
+		addBuilderFiles(&utils)
+
+		err := runCnbBuild(&config, nil, &utils, &commonPipelineEnvironment, &piperhttp.Client{})
+		assert.EqualError(t, err, "failed to copy certificates: cannot copy '/etc/ssl/certs/ca-certificates.crt': file does not exist")
+	})
 }