From 31ce64653ded44337aae0c9e3859c1c1db18f105 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 22:38:27 +0000 Subject: [PATCH] fix(deploy/test/libest): pin LIBEST_REF to upstream tag r3.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Dockerfile at HEAD pinned LIBEST_REF=v3.2.0-2 — that ref does NOT exist on cisco/libest upstream. Verified via: curl -sS https://api.github.com/repos/cisco/libest/tags # only tags returned: v1.0.0, r3.2.0, 1.1.0 The 'v' prefix and the '-2' patch suffix were both wrong from day one (commit e9011ca, EST RFC 7030 hardening Phase 10.1). The bug went undetected because the libest sidecar Dockerfile was never built end-to-end — neither operator-side nor in CI. The Dockerfile's own header comment ('last tag 3.2.0-2 from 2018') was inaccurate in the same way. This fix: - ARG LIBEST_REF=v3.2.0-2 → r3.2.0 (the actual upstream tag, sha 4ca02c6d7540f2b1bcea278a4fbe373daac7103b verified via api.github.com/repos/cisco/libest/git/refs/tags/r3.2.0) - Updated the surrounding head-comment block to reflect the real upstream tag name + cite the 2026-04-30 GitHub API verification. - Added a note explaining the prior broken pin so future readers don't re-introduce it. The estclient binary built from r3.2.0 supports the only RFC 7030 endpoint the est_e2e_test.go exercises ('estclient -g' = GET cacerts), so the integration test still works against this ref. Closes the libest-build-failure surfaced by ci-pipeline-cleanup Phase 8's Docker build smoke step (CI run 25192163943, job 'image-and-supply-chain'). --- deploy/test/libest/Dockerfile | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/deploy/test/libest/Dockerfile b/deploy/test/libest/Dockerfile index 4d90a7e..5562f84 100644 --- a/deploy/test/libest/Dockerfile +++ b/deploy/test/libest/Dockerfile @@ -4,10 +4,18 @@ # canonical RFC 7030 client for the certctl integration test suite. # # Source: https://github.com/cisco/libest (the upstream reference -# implementation; last tag 3.2.0-2 from 2018, but the protocol surface -# we exercise is stable RFC 7030). We build from source rather than -# pulling a published image because no official Cisco image exists on -# Docker Hub + reproducible offline-friendly builds need a pinned ref. +# implementation; latest tag is r3.2.0 — verified via +# https://api.github.com/repos/cisco/libest/tags 2026-04-30. The +# protocol surface we exercise is stable RFC 7030). We build from +# source rather than pulling a published image because no official +# Cisco image exists on Docker Hub + reproducible offline-friendly +# builds need a pinned ref. +# +# Note: an earlier draft of this Dockerfile (commit 15da1f4) pinned +# LIBEST_REF=v3.2.0-2 — that ref does not exist upstream (cisco/libest +# tags do NOT use the `v` prefix and there is no `-2` patch suffix). +# The build silently broke until ci-pipeline-cleanup Phase 8's Docker +# build smoke surfaced it. # # The builder stage compiles libest + its OpenSSL dependency; the # runtime stage carries only the compiled `estclient` binary + @@ -20,7 +28,7 @@ # CI uses `docker compose --profile est-e2e build libest-client` to # orchestrate the build alongside the rest of the test stack. -ARG LIBEST_REF=v3.2.0-2 +ARG LIBEST_REF=r3.2.0 # Bundle A / Audit H-001 (CWE-829): both FROM lines below pin # debian:bookworm-slim to the immutable OCI image-index digest pulled @@ -33,7 +41,7 @@ FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13 ARG LIBEST_REF # Build deps. We use the system openssl (1.1.1n in bookworm-slim) which -# is the same major version libest 3.2.0-2 was tested against. libest +# is the same major version libest r3.2.0 was tested against. libest # also wants libcurl + libsafec; we install both via apt rather than # building from source for reproducibility. RUN apt-get update && apt-get install --no-install-recommends -y \