Allow customers to specify custom CA image

In some cases a GHES instance might have custom CA certificates set up, this is the case for our dev environments for example. In order to support this, we need the proxy to be made aware of the cert, otherwise it will refuse any requests made to the GHES instance. This will look for a `CUSTOM_CA_PATH` environment variable (which should be defined in the `runsvc.sh` file when running actions as a service), and copy it into the proxy container and update its certificates.
github · Aug 30, 2021 · 04e1538 · 04e1538
1 parent b088d55
commit 04e1538
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/__tests__/proxy-integration.test.ts b/__tests__/proxy-integration.test.ts
@@ -53,6 +53,11 @@ describe('ProxyBuilder', () => {
     const containerInfo = await proxy.container.inspect()
     expect(containerInfo.Name).toBe('/job-1-proxy')
     expect(containerInfo.HostConfig.NetworkMode).toBe('job-1-network')
+    expect(containerInfo.Config.Cmd).toEqual([
+      'sh',
+      '-c',
+      '/usr/sbin/update-ca-certificates && /update-job-proxy'
+    ])
 
     const networkInfo = await proxy.network.inspect()
     expect(networkInfo.Name).toBe('job-1-network')

diff --git a/src/proxy.ts b/src/proxy.ts
@@ -1,3 +1,4 @@
+import fs from 'fs'
 import * as core from '@actions/core'
 import Docker, {Container, Network} from 'dockerode'
 import crypto from 'crypto'
@@ -15,6 +16,8 @@ const KEY_SIZE = 2048
 const KEY_EXPIRY_YEARS = 2
 const CONFIG_FILE_PATH = '/'
 const CONFIG_FILE_NAME = 'config.json'
+const CA_CERT_INPUT_PATH = '/usr/local/share/ca-certificates'
+const CUSTOM_CA_CERT_NAME = 'custom-ca-cert.crt'
 const CERT_SUBJECT = [
   {
     name: 'commonName',
@@ -74,6 +77,19 @@ export class ProxyBuilder {
       config
     )
 
+    if (process.env.CUSTOM_CA_PATH) {
+      // read the file defined at the CUSTOM_CA_PATH environment variable
+      const customCert = fs
+        .readFileSync(process.env.CUSTOM_CA_PATH, 'utf8')
+        .toString()
+      await ContainerService.storeCert(
+        CUSTOM_CA_CERT_NAME,
+        CA_CERT_INPUT_PATH,
+        container,
+        customCert
+      )
+    }
+
     const stream = await container.attach({
       stream: true,
       stdout: true,
@@ -161,6 +177,12 @@ export class ProxyBuilder {
       AttachStdout: true,
       AttachStderr: true,
       Env: [`JOB_ID=${jobID}`],
+      Cmd: [
+        'sh',
+        '-c',
+        '/usr/sbin/update-ca-certificates && /update-job-proxy'
+      ],
+
       HostConfig: {
         NetworkMode: networkName
       }