From 8473ee43cb9a11d8a5b7afcf9cd337fad583ba29 Mon Sep 17 00:00:00 2001 From: David O'Sullivan Date: Fri, 10 Jun 2022 21:22:41 +0100 Subject: [PATCH] bug fix for read-only containers --- README.md | 9 +++++++++ cacerts/execd.go | 10 +++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f6abf19..a51a069 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,15 @@ The buildpack configures trusted certs at both build and runtime by: To learn about the conventional meaning of `SSL_CERT_DIR` and `SSL_CERT_FILE` environment variables see the OpenSSL documentation for [SSL_CTX_load_verify_locations][s]. This buildpack may not work with tools that do not respect these environment variables. +### Runtime Environment Support + +| Feature | Supported | Detail | +| -------------------- | --------------- | ---------------------------------------------------------------------------- | +| read-only runtime container | No | Symlinks and/or new files are written for certificates provided via binding at runtime. A read-only container will run if no cert bindings are present at runtime. | +| run as custom user | Yes | The custom user must be a member of the `CNB` group + + + ## Bindings The buildpack optionally accepts the following bindings: diff --git a/cacerts/execd.go b/cacerts/execd.go index 1a1cd38..db291f9 100644 --- a/cacerts/execd.go +++ b/cacerts/execd.go @@ -53,15 +53,15 @@ func NewExecD(bindings libcnb.Bindings) *ExecD { func (e *ExecD) Execute() (map[string]string, error) { env := map[string]string{} var splitPaths []string + + paths := getsCertsFromBindings(e.Bindings) + if len(paths) == 0 { + return env, nil + } certDir, err := ioutil.TempDir("", "ca-certificates") if err != nil { return nil, fmt.Errorf("failed to create temp dir\n%w", err) } - - paths := getsCertsFromBindings(e.Bindings) - if len(paths) == 0 || err != nil { - return env, err - } for _, p := range paths { if extraPaths, err := SplitCerts(p, certDir); err != nil { return nil, fmt.Errorf("failed to split certificates at path %s \n%w", p, err)