fix: add kube-oidc-proxy custom ca bundle copy (#8)

mesosphere · Mar 12, 2024 · 3ba2ab9 · 3ba2ab9
1 parent 6472753
commit 3ba2ab9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/kube-oidc-proxy/Dockerfile b/kube-oidc-proxy/Dockerfile
@@ -7,9 +7,11 @@ ARG BASE_IMAGE
 
 FROM $SOURCE_IMAGE as source
 
+FROM ${BASE_IMAGE} as certs
+
 FROM ${BASE_IMAGE}
 
-# RUN apk --no-cache add ca-certificates && update-ca-certificates
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/certs-bundle.crt
 
 # See: https://github.com/TremoloSecurity/kube-oidc-proxy/blob/1acdbd93710e61117d6daf90f541f2107552d9e6/Dockerfile
 COPY --from=source /usr/bin/kube-oidc-proxy /usr/local/bin/kube-oidc-proxy

diff --git a/kube-oidc-proxy/README.md b/kube-oidc-proxy/README.md
@@ -6,6 +6,8 @@ There is a [maintained fork](https://www.tremolosecurity.com/post/updating-kube-
 
 The forked image gets rebuilt by copying the fork build and adding it to static distroless container image to minimize attack surface.
 
+The CA certs bundle from the original distroless container image is copied to the `/etc/ssl/certs/certs-bundle.crt` that allows specific overrides.
+
 ## Build
 
 ```