mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
fix(deploy/test/libest): pin LIBEST_REF to upstream tag r3.2.0
The Dockerfile at HEAD pinned LIBEST_REF=v3.2.0-2 — that ref does
NOT exist on cisco/libest upstream. Verified via:
curl -sS https://api.github.com/repos/cisco/libest/tags
# only tags returned: v1.0.0, r3.2.0, 1.1.0
The 'v' prefix and the '-2' patch suffix were both wrong from day
one (commit e9011ca, EST RFC 7030 hardening Phase 10.1). The bug
went undetected because the libest sidecar Dockerfile was never
built end-to-end — neither operator-side nor in CI. The Dockerfile's
own header comment ('last tag 3.2.0-2 from 2018') was inaccurate
in the same way.
This fix:
- ARG LIBEST_REF=v3.2.0-2 → r3.2.0 (the actual upstream tag, sha
4ca02c6d7540f2b1bcea278a4fbe373daac7103b verified via
api.github.com/repos/cisco/libest/git/refs/tags/r3.2.0)
- Updated the surrounding head-comment block to reflect the real
upstream tag name + cite the 2026-04-30 GitHub API verification.
- Added a note explaining the prior broken pin so future readers
don't re-introduce it.
The estclient binary built from r3.2.0 supports the only RFC 7030
endpoint the est_e2e_test.go exercises ('estclient -g' = GET
cacerts), so the integration test still works against this ref.
Closes the libest-build-failure surfaced by ci-pipeline-cleanup
Phase 8's Docker build smoke step (CI run 25192163943, job
'image-and-supply-chain').
This commit is contained in:
shankar0123
@@ -4,10 +4,18 @@
|
||||
# canonical RFC 7030 client for the certctl integration test suite.
|
||||
#
|
||||
# Source: https://github.com/cisco/libest (the upstream reference
|
||||
# implementation; last tag 3.2.0-2 from 2018, but the protocol surface
|
||||
# we exercise is stable RFC 7030). We build from source rather than
|
||||
# pulling a published image because no official Cisco image exists on
|
||||
# Docker Hub + reproducible offline-friendly builds need a pinned ref.
|
||||
# implementation; latest tag is r3.2.0 — verified via
|
||||
# https://api.github.com/repos/cisco/libest/tags 2026-04-30. The
|
||||
# protocol surface we exercise is stable RFC 7030). We build from
|
||||
# source rather than pulling a published image because no official
|
||||
# Cisco image exists on Docker Hub + reproducible offline-friendly
|
||||
# builds need a pinned ref.
|
||||
#
|
||||
# Note: an earlier draft of this Dockerfile (commit 15da1f4) pinned
|
||||
# LIBEST_REF=v3.2.0-2 — that ref does not exist upstream (cisco/libest
|
||||
# tags do NOT use the `v` prefix and there is no `-2` patch suffix).
|
||||
# The build silently broke until ci-pipeline-cleanup Phase 8's Docker
|
||||
# build smoke surfaced it.
|
||||
#
|
||||
# The builder stage compiles libest + its OpenSSL dependency; the
|
||||
# runtime stage carries only the compiled `estclient` binary +
|
||||
@@ -20,7 +28,7 @@
|
||||
# CI uses `docker compose --profile est-e2e build libest-client` to
|
||||
# orchestrate the build alongside the rest of the test stack.
|
||||
|
||||
ARG LIBEST_REF=v3.2.0-2
|
||||
ARG LIBEST_REF=r3.2.0
|
||||
|
||||
# Bundle A / Audit H-001 (CWE-829): both FROM lines below pin
|
||||
# debian:bookworm-slim to the immutable OCI image-index digest pulled
|
||||
@@ -33,7 +41,7 @@ FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13
|
||||
ARG LIBEST_REF
|
||||
|
||||
# Build deps. We use the system openssl (1.1.1n in bookworm-slim) which
|
||||
# is the same major version libest 3.2.0-2 was tested against. libest
|
||||
# is the same major version libest r3.2.0 was tested against. libest
|
||||
# also wants libcurl + libsafec; we install both via apt rather than
|
||||
# building from source for reproducibility.
|
||||
RUN apt-get update && apt-get install --no-install-recommends -y \
|
||||
|
||||
Reference in New Issue
Block a user