Details
-
Type:
Story
-
Status: Done
-
Resolution: Done
-
Fix Version/s: None
-
Component/s: jenkins
-
Labels:None
-
Team:Architecture
-
Urgent?:No
Description
The Jenkins worker containers use a pinned version of alpine, 3.9, as their base. The latest version of the certificate authority list usable with this version is from 2019. As a result, it is outdated and missing a CA required to work with many Let's Encrypt certificates.
Unpin the alpine version to allow newer CA lists (and other security fixes) to be installed as part of the existing automated container build process.
Attachments
Activity
Thanks, Jonathan Sick. I believe jenkins-dm-jobs uses the latest tag, rather than a specific version, for ltd-mason. Can you push that tag as well as 0.3.1?
I will disable the Jenkins build of ltd-mason.
I've updated the ltd-mason's release workflow in GitHub Actions and it pushes the latest tag now, in addition to a versioned tag. Let me know if there are any troubles with that.
Updates to sqre-codekit, awscli, and the swarm client (although the latter may not be necessary) were made to use more recent containers that have the required certificate authorities. Release builds are succeeding again.
I've updated LTD-Mason. It now builds and pushes a Docker image via GitHub Actions on tagged releases.
The new Docker image is based on a modern Python 3.9 base image which should have an up-to-date CA database.
The new docker image release is lsstsqre/ltd-mason:0.3.1. You can use that image directly; there's no need to run the Jenkins-based build of that docker image as its replaced entirely by the GitHub Actions-based release.