Let Docker plugin use custom CA certificates while running commands during docker build

arotatns · January 31, 2023, 10:27am

Hello, I am an enterprise customer and I am improving my pipeline to build Docker containers containing Python web applications.

The Dockerfile starts from vanilla Python image, it adds code and it runs a pip install -r requirements.txt command to download python packages.

Now I want to configure Drone so that docker daemon builds the image downloading packages from our internal repository, which acts also as proxy for PyPi repository.

According to pip and experience, it is enough to set two environment variables as build-args:

PIP_INDEX_URL=https://my-local-repository/repository/pypi-group/simple
PIP_CERT=/etc/ssl/certs/ca-certificates.crt

The ca-certificates.crt files contains all the public and private CA’s and it is mounted by runners being in the Drone environment file:

DRONE_RUNNER_VOLUMES: "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"

Indeed, if I check the content of such file from a step running just a plain alpine image, I see the correct contents.

Anyway, when running the docker build in the docker plugin, I do see build-args, but the file is not available.

I also tried to mount the file and run priviledge as specified in the documentation, but PIP does not see the right file.

kind: pipeline
name: drone-docker-pip-example
type: docker

steps:

- name: check-env
  image: debian:buster-slim
  commands:
    - env
    - cat /etc/ssl/certs/ca-certificates.crt

- name: build-push
  image: plugins/docker
  privileged: true
  environment:
    HTTP_PROXY: "http://xx.xx.xx.xx:8080"
    HTTPS_PROXY: "http://xx.xx.xx.xx:8080"
    NO_PROXY: "localhost,127.0.0.1, ...OMISSIS..."
  settings:
    purge: false
    registry: my-docker-registry.localdomain.net
    repo: my-docker-registry.localdomain.net/xyz/drone-docker-pip-example
    username:
      from_secret: DOCKER_USERNAME
    password:
      from_secret: DOCKER_PASSWORD
    tags:
      - ${DRONE_TAG}
    dockerfile: Dockerfile
    build_args:
      - HTTP_PROXY=http://xx.xx.xx.xx:8080"
      - HTTPS_PROXY=http://xx.xx.xx.xx:8080
      - NO_PROXY=localhost,127.0.0.1, ...OMISSIS...
      - PIP_INDEX_URL=https://my-pip-registry.localdomain.net/repository/pypi-group/simple
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
    volumes:
      - name: ca-certificates
        path: /etc/ssl/certs/ca-certificates.crt

Any clue?