feat: add the ability to define a custom ca certificate for docker images (#1695)

harryvince · web-flow · commit 07edf770262f · 2025-12-02T09:23:16.000+01:00
diff --git a/src/argv.ts b/src/argv.ts
@@ -153,6 +153,10 @@ export class Argv {
         return typeof val == "string" ? val.split(" ") : val;
     }
 
+    get caFile (): string | null {
+        return this.map.get("caFile") ?? null;
+    }
+
     get ignoreSchemaPaths (): string[] {
         return this.map.get("ignoreSchemaPaths") ?? Argv.default.ignoreSchemaPaths;
     }
diff --git a/src/index.ts b/src/index.ts
@@ -247,6 +247,11 @@ process.on("SIGUSR2", async () => await cleanupJobResources(jobs));
             description: "Add extra docker host entries",
             requiresArg: false,
         })
+        .option("ca-file", {
+            type: "string",
+            description: "Path to custom CA certificate file to mount in containers",
+            requiresArg: false,
+        })
         .option("pull-policy", {
             type: "string",
             description: "Set image pull-policy (always or if-not-present)",
diff --git a/src/job.ts b/src/job.ts
@@ -19,6 +19,7 @@ import {resolveIncludeLocal, validateIncludeLocal} from "./parser-includes.js";
 import globby from "globby";
 import terminalLink from "terminal-link";
 import * as crypto from "crypto";
+import * as path from "path";
 
 const GCL_SHELL_PROMPT_PLACEHOLDER = "<gclShellPromptPlaceholder>";
 interface JobOptions {
@@ -694,10 +695,23 @@ If you know what you're doing and would like to suppress this warning, use one o
             if (helperImageName) {
                 await this.pullImage(writeStreams, helperImageName);
             }
-            const {stdout: containerId} = await Utils.spawn([
-                this.argv.containerExecutable, "create", "--user=0:0", `--volume=${buildVolumeName}:${this.ciProjectDir}`, `--volume=${tmpVolumeName}:${this.fileVariablesDir}`, `${helperImageName}`,
-                ...["sh", "-c", `chown ${chownOpt} -R ${this.ciProjectDir} && chmod ${chmodOpt} -R ${this.ciProjectDir} && chown ${chownOpt} -R /tmp/ && chmod ${chmodOpt} -R /tmp/`],
-            ], argv.cwd);
+
+            const helperContainerArgs = [
+                this.argv.containerExecutable, "create", "--user=0:0",
+                `--volume=${buildVolumeName}:${this.ciProjectDir}`,
+                `--volume=${tmpVolumeName}:${this.fileVariablesDir}`,
+            ];
+
+            if (this.argv.caFile) {
+                const caFilePath = path.isAbsolute(this.argv.caFile) ? this.argv.caFile : path.resolve(this.argv.cwd, this.argv.caFile);
+                if (await fs.pathExists(caFilePath)) {
+                    helperContainerArgs.push(`--volume=${caFilePath}:/etc/ssl/certs/ca-certificates.crt:ro`);
+                }
+            }
+
+            helperContainerArgs.push(`${helperImageName}`, "sh", "-c", `chown ${chownOpt} -R ${this.ciProjectDir} && chmod ${chmodOpt} -R ${this.ciProjectDir} && chown ${chownOpt} -R /tmp/ && chmod ${chmodOpt} -R /tmp/`);
+
+            const {stdout: containerId} = await Utils.spawn(helperContainerArgs, argv.cwd);
             this._containersToClean.push(containerId);
             if (await fs.pathExists(fileVariablesDir)) {
                 await Utils.spawn([this.argv.containerExecutable, "cp", `${fileVariablesDir}/.`, `${containerId}:${fileVariablesDir}`], argv.cwd);
@@ -973,6 +987,17 @@ If you know what you're doing and would like to suppress this warning, use one o
                 dockerCmd += `--add-host=${extraHost} `;
             }
 
+            if (this.argv.caFile) {
+                const caFilePath = path.isAbsolute(this.argv.caFile) ? this.argv.caFile : path.resolve(this.argv.cwd, this.argv.caFile);
+                if (await fs.pathExists(caFilePath)) {
+                    dockerCmd += `--volume ${caFilePath}:/etc/ssl/certs/ca-certificates.crt:ro `;
+                    expanded["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt";
+                    expanded["SSL_CERT_DIR"] = "/etc/ssl/certs";
+                } else {
+                    writeStreams.stderr(chalk`{yellow WARNING: CA file not found: ${caFilePath}}\n`);
+                }
+            }
+
             for (const [key, val] of Object.entries(expanded)) {
                 // Replacing `'` with `'\''` to correctly handle single quotes(if `val` contains `'`) in shell commands
                 dockerCmd += `  -e '${key}=${val.toString().replace(/'/g, "'\\''")}' \\\n`;
@@ -1498,6 +1523,15 @@ If you know what you're doing and would like to suppress this warning, use one o
             dockerCmd += `--add-host=${extraHost} `;
         }
 
+        if (this.argv.caFile) {
+            const caFilePath = path.isAbsolute(this.argv.caFile) ? this.argv.caFile : path.resolve(this.argv.cwd, this.argv.caFile);
+            if (await fs.pathExists(caFilePath)) {
+                dockerCmd += `--volume ${caFilePath}:/etc/ssl/certs/ca-certificates.crt:ro `;
+                expanded["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt";
+                expanded["SSL_CERT_DIR"] = "/etc/ssl/certs";
+            }
+        }
+
         const serviceAlias = service.alias;
         const serviceName = service.name;
         const serviceNameWithoutVersion = serviceName.replace(/(.*)(:.*)/, "$1");
diff --git a/tests/test-cases/custom-ca-cert/.gitlab-ci.yml b/tests/test-cases/custom-ca-cert/.gitlab-ci.yml
@@ -0,0 +1,9 @@
+---
+test-ca-cert:
+  image: alpine:latest
+  script:
+    - echo "Testing CA certificate mounting"
+    - test -f /etc/ssl/certs/ca-certificates.crt && echo "CA cert file exists" || echo "CA cert file NOT found"
+    - echo "SSL_CERT_FILE=$SSL_CERT_FILE"
+    - echo "SSL_CERT_DIR=$SSL_CERT_DIR"
+    - cat /etc/ssl/certs/ca-certificates.crt | head -3
diff --git a/tests/test-cases/custom-ca-cert/ca-cert.crt b/tests/test-cases/custom-ca-cert/ca-cert.crt
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAKJ3L7jLvE1JMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTcwMjIyMjIxNjA2WhcNMjcwMjIwMjIxNjA2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAwU3oGrJYYV6Y3A4TmLLqCYxPyGlqLuO/U7VB3P8TqLKfwYEGv9e5cj6P
+-----END CERTIFICATE-----
diff --git a/tests/test-cases/custom-ca-cert/integration.test.ts b/tests/test-cases/custom-ca-cert/integration.test.ts
@@ -0,0 +1,26 @@
+import {WriteStreamsMock} from "../../../src/write-streams.js";
+import {handler} from "../../../src/handler.js";
+import chalk from "chalk";
+import {initSpawnSpy} from "../../mocks/utils.mock.js";
+import {WhenStatics} from "../../mocks/when-statics.js";
+
+beforeAll(() => {
+    initSpawnSpy(WhenStatics.all);
+});
+
+test("custom-ca-cert <test-ca-cert>", async () => {
+    const writeStreams = new WriteStreamsMock();
+    await handler({
+        cwd: "tests/test-cases/custom-ca-cert",
+        job: ["test-ca-cert"],
+        caFile: "ca-cert.crt",
+    }, writeStreams);
+
+    const expected = [
+        chalk`{blueBright test-ca-cert} {greenBright >} CA cert file exists`,
+        chalk`{blueBright test-ca-cert} {greenBright >} SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt`,
+        chalk`{blueBright test-ca-cert} {greenBright >} SSL_CERT_DIR=/etc/ssl/certs`,
+        chalk`{blueBright test-ca-cert} {greenBright >} -----BEGIN CERTIFICATE-----`,
+    ];
+    expect(writeStreams.stdoutLines).toEqual(expect.arrayContaining(expected));
+});

Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,10 @@ export class Argv {`
`153`	`153`	`return typeof val == "string" ? val.split(" ") : val;`
`154`	`154`	`}`
`155`	`155`
	`156`	`+ get caFile (): string \| null {`
	`157`	`+ return this.map.get("caFile") ?? null;`
	`158`	`+ }`
	`159`	`+`
`156`	`160`	`get ignoreSchemaPaths (): string[] {`
`157`	`161`	`return this.map.get("ignoreSchemaPaths") ?? Argv.default.ignoreSchemaPaths;`
`158`	`162`	`}`