gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ffcd5e809aa69c1b93bf94034dfb2b745e2b912e
certctl/deploy/test/libest/Dockerfile
T
shankar0123 31ce64653d fix(deploy/test/libest): pin LIBEST_REF to upstream tag r3.2.0 
The Dockerfile at HEAD pinned LIBEST_REF=v3.2.0-2 — that ref does
NOT exist on cisco/libest upstream. Verified via:

    curl -sS https://api.github.com/repos/cisco/libest/tags
    # only tags returned: v1.0.0, r3.2.0, 1.1.0

The 'v' prefix and the '-2' patch suffix were both wrong from day
one (commit e9011ca, EST RFC 7030 hardening Phase 10.1). The bug
went undetected because the libest sidecar Dockerfile was never
built end-to-end — neither operator-side nor in CI. The Dockerfile's
own header comment ('last tag 3.2.0-2 from 2018') was inaccurate
in the same way.

This fix:
  - ARG LIBEST_REF=v3.2.0-2 → r3.2.0 (the actual upstream tag, sha
    4ca02c6d7540f2b1bcea278a4fbe373daac7103b verified via
    api.github.com/repos/cisco/libest/git/refs/tags/r3.2.0)
  - Updated the surrounding head-comment block to reflect the real
    upstream tag name + cite the 2026-04-30 GitHub API verification.
  - Added a note explaining the prior broken pin so future readers
    don't re-introduce it.

The estclient binary built from r3.2.0 supports the only RFC 7030
endpoint the est_e2e_test.go exercises ('estclient -g' = GET
cacerts), so the integration test still works against this ref.

Closes the libest-build-failure surfaced by ci-pipeline-cleanup
Phase 8's Docker build smoke step (CI run 25192163943, job
'image-and-supply-chain').
2026-04-30 22:38:27 +00:00

94 lines
3.7 KiB
Docker
Raw Blame History

# EST RFC 7030 hardening master bundle Phase 10.1 — libest sidecar.
#
# Multi-stage build of Cisco's libest reference client, used as the
# canonical RFC 7030 client for the certctl integration test suite.
#
# Source: https://github.com/cisco/libest (the upstream reference
# implementation; latest tag is r3.2.0 — verified via
# https://api.github.com/repos/cisco/libest/tags 2026-04-30. The
# protocol surface we exercise is stable RFC 7030). We build from
# source rather than pulling a published image because no official
# Cisco image exists on Docker Hub + reproducible offline-friendly
# builds need a pinned ref.
#
# Note: an earlier draft of this Dockerfile (commit 15da1f4) pinned
# LIBEST_REF=v3.2.0-2 — that ref does not exist upstream (cisco/libest
# tags do NOT use the `v` prefix and there is no `-2` patch suffix).
# The build silently broke until ci-pipeline-cleanup Phase 8's Docker
# build smoke surfaced it.
#
# The builder stage compiles libest + its OpenSSL dependency; the
# runtime stage carries only the compiled `estclient` binary +
# `openssl` + `bash` so the integration test (which docker-execs into
# the container) has a small, predictable surface.
#
# Build (from repo root):
# docker build -f deploy/test/libest/Dockerfile -t certctl/libest:test .
#
# CI uses `docker compose --profile est-e2e build libest-client` to
# orchestrate the build alongside the rest of the test stack.
ARG LIBEST_REF=r3.2.0
# Bundle A / Audit H-001 (CWE-829): both FROM lines below pin
# debian:bookworm-slim to the immutable OCI image-index digest pulled
# 2026-04-29 (last_pushed 2026-04-22). To bump:
# curl -sSL https://hub.docker.com/v2/repositories/library/debian/tags/bookworm-slim \
# | jq -r .digest
# Replace the @sha256:... portion on BOTH FROM lines.
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS builder
ARG LIBEST_REF
# Build deps. We use the system openssl (1.1.1n in bookworm-slim) which
# is the same major version libest r3.2.0 was tested against. libest
# also wants libcurl + libsafec; we install both via apt rather than
# building from source for reproducibility.
RUN apt-get update && apt-get install --no-install-recommends -y \
autoconf \
automake \
build-essential \
ca-certificates \
git \
libcurl4-openssl-dev \
libssl-dev \
libtool \
pkg-config \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /src
RUN git clone --depth 1 --branch ${LIBEST_REF} https://github.com/cisco/libest.git . \
&& ./configure --prefix=/opt/libest --disable-shared --enable-static \
&& make -j"$(nproc)" \
&& make install
# Runtime stage. Carries only what we need to docker-exec estclient
# from the integration test: the compiled binary, the openssl CLI for
# CSR generation + cert parsing, and bash for the test's exec scripts.
# Pinned to the same digest as the builder above (Bundle A / H-001).
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
RUN apt-get update && apt-get install --no-install-recommends -y \
bash \
ca-certificates \
curl \
libcurl4 \
libssl3 \
openssl \
&& rm -rf /var/lib/apt/lists/* \
&& useradd --create-home --uid 1000 estuser
COPY --from=builder /opt/libest/bin/estclient /usr/local/bin/estclient
# /config/est is the working dir the integration test mounts; /config/certs
# carries certctl's CA bundle (./test/certs/ca.crt) for TLS pinning.
RUN mkdir -p /config/est /config/certs && chown -R estuser:estuser /config
USER estuser
WORKDIR /config/est
# Container stays alive so the integration test can docker-exec into
# it; matches the spec's `command: sleep infinity` directive.
CMD ["sleep", "infinity"]
Reference in New Issue View Git Blame Copy Permalink