include maccabi CA certificate in docker image and make sure the certificate is trusted by the container

Author: Asaf Cohen

.github/workflows/pdp_cicd.yml

@@ -16,6 +16,9 @@ jobs:
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+    
+    - name: Write maccabi.crt file from secret
+      run: echo "${{ secrets.MACCABI_CA_FILE }}" > ./maccabi.crt
 
     - uses: actions/checkout@v3
       with:
@@ -89,6 +92,9 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
+    
+    - name: Write maccabi.crt file from secret
+      run: echo "${{ secrets.MACCABI_CA_FILE }}" > ./maccabi.crt
 
     - name: Pre build - for PDP-Vanilla
       run: echo "${{ github.event.release.tag_name }}" | cut -d '-' -f 1 > permit_pdp_version
@@ -133,6 +139,9 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
+    
+    - name: Write maccabi.crt file from secret
+      run: echo "${{ secrets.MACCABI_CA_FILE }}" > ./maccabi.crt
 
     - uses: actions/checkout@v3
       with:
@@ -171,3 +180,6 @@ jobs:
         tags: permitio/pdp-v2:${{ github.event.release.tag_name }},permitio/pdp-v2:latest
         cache-from: type=gha
         cache-to: type=gha,mode=max
+    
+    - name: Clean up maccabi.crt file
+      run: rm ./maccabi.crt

Dockerfile

@@ -38,7 +38,11 @@ RUN adduser -S -s /bin/bash -u 1000 -G permit -h /home/permit permit
 
 # install linux libraries necessary to compile some python packages
 RUN apk update && \
-    apk add --no-cache bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat
+    apk add --no-cache bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat ca-certificates
+
+# Copy maccabi.crt into the system certificate store and update the CA store
+COPY ./maccabi.crt /usr/local/share/ca-certificates/maccabi.crt
+RUN update-ca-certificates
 
 # Copy custom opa binary
 RUN mkdir /app/bin