diff --git a/__tests__/proxy-integration.test.ts b/__tests__/proxy-integration.test.ts index 3c673ae..5d03748 100644 --- a/__tests__/proxy-integration.test.ts +++ b/__tests__/proxy-integration.test.ts @@ -53,6 +53,11 @@ describe('ProxyBuilder', () => { const containerInfo = await proxy.container.inspect() expect(containerInfo.Name).toBe('/job-1-proxy') expect(containerInfo.HostConfig.NetworkMode).toBe('job-1-network') + expect(containerInfo.Config.Cmd).toEqual([ + 'sh', + '-c', + '/usr/sbin/update-ca-certificates && /update-job-proxy' + ]) const networkInfo = await proxy.network.inspect() expect(networkInfo.Name).toBe('job-1-network') diff --git a/src/proxy.ts b/src/proxy.ts index fe0a6bf..ea15ff9 100644 --- a/src/proxy.ts +++ b/src/proxy.ts @@ -1,3 +1,4 @@ +import fs from 'fs' import * as core from '@actions/core' import Docker, {Container, Network} from 'dockerode' import crypto from 'crypto' @@ -15,6 +16,8 @@ const KEY_SIZE = 2048 const KEY_EXPIRY_YEARS = 2 const CONFIG_FILE_PATH = '/' const CONFIG_FILE_NAME = 'config.json' +const CA_CERT_INPUT_PATH = '/usr/local/share/ca-certificates' +const CUSTOM_CA_CERT_NAME = 'custom-ca-cert.crt' const CERT_SUBJECT = [ { name: 'commonName', @@ -74,6 +77,19 @@ export class ProxyBuilder { config ) + if (process.env.CUSTOM_CA_PATH) { + // read the file defined at the CUSTOM_CA_PATH environment variable + const customCert = fs + .readFileSync(process.env.CUSTOM_CA_PATH, 'utf8') + .toString() + await ContainerService.storeCert( + CUSTOM_CA_CERT_NAME, + CA_CERT_INPUT_PATH, + container, + customCert + ) + } + const stream = await container.attach({ stream: true, stdout: true, @@ -161,6 +177,12 @@ export class ProxyBuilder { AttachStdout: true, AttachStderr: true, Env: [`JOB_ID=${jobID}`], + Cmd: [ + 'sh', + '-c', + '/usr/sbin/update-ca-certificates && /update-job-proxy' + ], + HostConfig: { NetworkMode: networkName }