From c6a8a075490b1a0303d39c8ee474c07ec61db06d Mon Sep 17 00:00:00 2001 From: Greg Porterfield Date: Thu, 8 Jan 2026 11:19:29 -0700 Subject: [PATCH] feat(tls): Add AWS RDS CA certificates to ruby images --- 3.2/base/Dockerfile | 10 +++++++++- 3.2/node/Dockerfile | 12 ++++++++++-- 3.3/base/Dockerfile | 10 +++++++++- 3.3/node/Dockerfile | 12 ++++++++++-- 3.4/base/Dockerfile | 10 +++++++++- 3.4/node/Dockerfile | 12 ++++++++++-- 6 files changed, 57 insertions(+), 9 deletions(-) diff --git a/3.2/base/Dockerfile b/3.2/base/Dockerfile index 26bc0bc..f2d0d16 100644 --- a/3.2/base/Dockerfile +++ b/3.2/base/Dockerfile @@ -8,11 +8,19 @@ ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets diff --git a/3.2/node/Dockerfile b/3.2/node/Dockerfile index c04c988..948f3b8 100644 --- a/3.2/node/Dockerfile +++ b/3.2/node/Dockerfile @@ -2,12 +2,14 @@ # syntax=docker/dockerfile:1 FROM ruby:3.2-slim-bookworm -ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 +ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ @@ -19,7 +21,13 @@ RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ && apt-get remove -y curl gnupg \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets diff --git a/3.3/base/Dockerfile b/3.3/base/Dockerfile index 6da8a92..276cfd0 100644 --- a/3.3/base/Dockerfile +++ b/3.3/base/Dockerfile @@ -8,11 +8,19 @@ ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets diff --git a/3.3/node/Dockerfile b/3.3/node/Dockerfile index b5572e1..78e5851 100644 --- a/3.3/node/Dockerfile +++ b/3.3/node/Dockerfile @@ -2,12 +2,14 @@ # syntax=docker/dockerfile:1 FROM ruby:3.3-slim-bookworm -ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 +ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ @@ -19,7 +21,13 @@ RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ && apt-get remove -y curl gnupg \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets diff --git a/3.4/base/Dockerfile b/3.4/base/Dockerfile index f0c9971..bc0530e 100644 --- a/3.4/base/Dockerfile +++ b/3.4/base/Dockerfile @@ -8,11 +8,19 @@ ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets diff --git a/3.4/node/Dockerfile b/3.4/node/Dockerfile index 5ee4998..f32c7f5 100644 --- a/3.4/node/Dockerfile +++ b/3.4/node/Dockerfile @@ -2,12 +2,14 @@ # syntax=docker/dockerfile:1 FROM ruby:3.4-slim-bookworm -ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 +ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem ARG TARGETARCH ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh +# Add AWS RDS CA trusted root certificates +ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ @@ -19,7 +21,13 @@ RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \ && apt-get remove -y curl gnupg \ # Create our own user and remove the node user && groupadd --gid $SERVICE_UID $SERVICE_USER \ - && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER + && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \ + # Split PEM bundle into individual cert files for update-ca-certificates + && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \ + /usr/local/share/ca-certificates/aws-rds-global-bundle.pem \ + '/-----BEGIN CERTIFICATE-----/' '{*}' \ + && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \ + && update-ca-certificates ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets