Enable OSX trusted certificates to be copied into docker Container (#562)

DanielHansmannAldi · profuel · commit 695e08cef33c · 2025-07-25T12:23:11.000+02:00
diff --git a/bin/command/install/bootstrap.sh b/bin/command/install/bootstrap.sh
@@ -75,6 +75,17 @@ function Command::bootstrap() {
     Console::info "Using ${projectYaml}"
 
     local USER_FULL_ID=$(Environment::getFullUserId)
+    # pipeline aus YAML mit grep/sed robust auslesen (ohne yq/PHP), nutzt $projectYaml
+    copy_cert_from_mac=$(grep -E '^[[:space:]]*copy_cert_from_mac:' "$projectYaml" | sed -E 's/^[[:space:]]*copy_cert_from_mac:[[:space:]]*//')
+    Console::info "Copy Cert From Mac: ${copy_cert_from_mac}"
+
+    if [ "${copy_cert_from_mac}" = "true" ]; then
+        Console::info "Export System Certificates to ${SOURCE_DIR}/generator/certs-system.crt"
+        security find-certificate -a -p /Library/Keychains/System.keychain > "${SOURCE_DIR}/generator/certs-system.crt"
+    else
+        Console::info "Create empty certs-system.crt at ${SOURCE_DIR}/generator/certs-system.crt"
+        > "${SOURCE_DIR}/generator/certs-system.crt"
+    fi
 
     Console::verbose::start "Building generator..."
     docker build -t spryker_docker_sdk \
@@ -90,6 +101,8 @@ function Command::bootstrap() {
     cp -rf "${SOURCE_DIR}/context" "${tmpDeploymentDir}/context"
     cp -rf "${SOURCE_DIR}/bin/standalone" "${tmpDeploymentDir}/context/cli"
     cp -rf "${SOURCE_DIR}/images" "${tmpDeploymentDir}/images"
+    cp -rf  "${SOURCE_DIR}/generator/certs-system.crt" "${tmpDeploymentDir}/certs-system.crt"
+    cp -rf  "${SOURCE_DIR}/generator/certs-system.crt" "${tmpDeploymentDir}/context/certs-system.crt"
     cp "${projectYaml}" "${tmpDeploymentDir}/project.yml"
     cp "$([ -f "./.dockersyncignore" ] && echo './.dockersyncignore' || echo "${SOURCE_DIR}/.dockersyncignore.default")" "${tmpDeploymentDir}/.dockersyncignore"
     if [ -f ".known_hosts" ]; then
diff --git a/docs/07-deploy-file/02-deploy.file.reference.v1.md b/docs/07-deploy-file/02-deploy.file.reference.v1.md
@@ -954,6 +954,16 @@ A **Service** to control user agents.
 
 ***
 
+### copy_cert_from_mac:
+
+A **Service** to control user agents.
+
+* Project-wide
+    * `copy_cert_from_mac: true:` - possible values are true / false. This variable is optional with the default value false. If set, the trusted CA certificate is copied from the host machine to the container. This is required to use company proxy.
+
+
+***
+
 ## Change log
 
 * Initial reference document is introduced.
diff --git a/generator/Dockerfile b/generator/Dockerfile
@@ -6,6 +6,10 @@ FROM ${SPRYKER_PHP_IMAGE}
 RUN apk add --no-cache openssl
 
 WORKDIR /data
+
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 USER spryker
 
 COPY --chown=spryker:spryker composer.json composer.lock ${srcRoot}/
diff --git a/images/baked/application/Dockerfile b/images/baked/application/Dockerfile
@@ -3,6 +3,9 @@ ARG SPRYKER_PARENT_IMAGE
 
 FROM ${SPRYKER_PARENT_IMAGE} AS application-production-dependencies
 
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 USER spryker
 
 # Install composer modules for Spryker
diff --git a/images/baked/cli/Dockerfile b/images/baked/cli/Dockerfile
@@ -3,6 +3,9 @@ ARG SPRYKER_PARENT_IMAGE
 
 FROM ${SPRYKER_PARENT_IMAGE} as cli-production
 
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 USER spryker
 
 # Install composer modules for Spryker
diff --git a/images/baked/frontend/Dockerfile b/images/baked/frontend/Dockerfile
@@ -3,8 +3,10 @@ ARG SPRYKER_PARENT_IMAGE
 ARG SPRYKER_ASSETS_BUILDER_IMAGE
 
 FROM ${SPRYKER_ASSETS_BUILDER_IMAGE} as assets-builder
-
 FROM ${SPRYKER_PARENT_IMAGE} as frontend-production
 
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 RUN mkdir -p /data/public && chmod 0777 /data/public
 COPY --from=assets-builder --chown=root:root /data/public /data/public
diff --git a/images/common/application-local/Dockerfile b/images/common/application-local/Dockerfile
@@ -4,4 +4,5 @@ FROM ${SPRYKER_PARENT_IMAGE} AS application-local
 
 # Make self-signed certificate to be trusted locally
 COPY nginx/ssl/ca.crt /usr/local/share/ca-certificates
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
 RUN update-ca-certificates
diff --git a/images/common/application/Dockerfile.twig b/images/common/application/Dockerfile.twig
@@ -8,7 +8,17 @@ FROM ${SPRYKER_NODE_IMAGE} AS node
 
 ARG SPRYKER_NPM_VERSION
 
-RUN npm install -g npm@${SPRYKER_NPM_VERSION}
+# Temporarily switch to HTTP for Alpine repositories to bootstrap ca-certificates
+RUN sed -i 's/https:\/\/dl-cdn.alpinelinux.org/http:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories \
+&& apk add --no-cache ca-certificates \
+&& sed -i 's/http:\/\/dl-cdn.alpinelinux.org/https:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories
+
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/host-certs.crt
+RUN npm config set cafile /usr/local/share/ca-certificates/host-certs.crt \
+&& npm install -g npm@${SPRYKER_NPM_VERSION}
 
 FROM ${SPRYKER_PLATFORM_IMAGE} AS application-basic
 
diff --git a/images/common/cli/Dockerfile b/images/common/cli/Dockerfile
@@ -3,6 +3,14 @@ ARG SPRYKER_PARENT_IMAGE
 
 FROM ${SPRYKER_PARENT_IMAGE} as cli-basic
 
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
+#TEST
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/host-certs.crt
+RUN npm config set cafile /usr/local/share/ca-certificates/host-certs.crt
+
+
 # Blackfire client
 RUN mkdir -p /tmp/blackfire \
     && architecture=$(case $(uname -m) in i386 | i686 | x86) echo "i386" ;; x86_64 | amd64) echo "amd64" ;; aarch64 | arm64 | armv8) echo "arm64" ;; *) echo "amd64" ;; esac) \
diff --git a/images/common/dashboard/Dockerfile b/images/common/dashboard/Dockerfile
@@ -2,10 +2,17 @@ ARG SPRYKER_DASHBOARD_IMAGE=node:alpine
 
 FROM ${SPRYKER_DASHBOARD_IMAGE} AS dashboard
 
+RUN sed -i 's/https:\/\/dl-cdn.alpinelinux.org/http:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories \
+    && apk add --no-cache ca-certificates \
+    && sed -i 's/http:\/\/dl-cdn.alpinelinux.org/https:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 RUN mkdir -p /dashboard
 WORKDIR /dashboard
 ENV HOME=/dashboard
-
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/host-certs.crt
+RUN npm config set cafile /usr/local/share/ca-certificates/host-certs.crt
 RUN npm install log.io pm2 -g
 
 COPY context/dashboard/package.json context/dashboard/package-lock.json /dashboard/
diff --git a/images/common/frontend/Dockerfile b/images/common/frontend/Dockerfile
@@ -4,6 +4,12 @@ ARG SPRYKER_FRONTEND_IMAGE
 
 FROM ${SPRYKER_FRONTEND_IMAGE} as frontend-basic
 
+RUN sed -i 's/https:\/\/dl-cdn.alpinelinux.org/http:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories \
+    && apk add --no-cache ca-certificates \
+    && sed -i 's/http:\/\/dl-cdn.alpinelinux.org/https:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 RUN mkdir -p /etc/nginx/template/ && chmod 0777 /etc/nginx/template/
 COPY --chown=root:root nginx/nginx.original.conf /etc/nginx/nginx.conf
 COPY --chown=root:root nginx/conf.d/frontend.default.conf.tmpl /etc/nginx/template/default.conf.tmpl
diff --git a/images/common/services/jenkins/export/Dockerfile b/images/common/services/jenkins/export/Dockerfile
@@ -5,6 +5,10 @@ ARG SPRYKER_JENKINS_IMAGE=spryker/jenkins-boilerplate:2.504.1
 FROM ${SPRYKER_JENKINS_IMAGE} as spryker-jenkins-boilerplate
 FROM ${SPRYKER_PARENT_IMAGE}  as spryker_jenkins
 EXPOSE 8080
+
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 COPY context/jenkins/export/jenkins.docker.xml.twig ./config/Zed/cronjobs/jenkins.docker.xml.twig
 
 COPY --from=spryker-jenkins-boilerplate /usr/share/jenkins/ref/plugins /usr/share/jenkins/ref/plugins
diff --git a/images/debug/application/Dockerfile b/images/debug/application/Dockerfile
@@ -2,6 +2,9 @@
 ARG SPRYKER_PARENT_IMAGE
 FROM ${SPRYKER_PARENT_IMAGE} AS application-debug
 
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
+
 RUN --mount=type=cache,id=aptlib,sharing=locked,target=/var/lib/apt \
     --mount=type=cache,id=aptcache,sharing=locked,target=/var/cache/apt \
   bash -c 'if [ ! -z "$(which apt)" ]; then apt update -y && apt install -y \
diff --git a/images/debug/cli/Dockerfile b/images/debug/cli/Dockerfile
@@ -3,6 +3,17 @@ ARG SPRYKER_PARENT_IMAGE
 FROM ${SPRYKER_PARENT_IMAGE} AS cli-debug
 
 USER root
-RUN /usr/bin/install -d -m 777 /var/run/opcache/debug
+# Temporarily switch to HTTP for Alpine repositories to bootstrap ca-certificates
+RUN sed -i 's/https:\/\/dl-cdn.alpinelinux.org/http:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories \
+    && apk add --no-cache ca-certificates \
+    && sed -i 's/http:\/\/dl-cdn.alpinelinux.org/https:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories
+
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
 USER spryker
+#TEST
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/host-certs.crt
+RUN npm config set cafile /usr/local/share/ca-certificates/host-certs.crt
+
+
 COPY php/debug/etc/ /usr/local/etc/
diff --git a/images/debug/frontend/Dockerfile b/images/debug/frontend/Dockerfile
@@ -4,5 +4,9 @@ FROM ${SPRYKER_PARENT_IMAGE} AS frontend-debug
 
 ARG SPRYKER_XDEBUG_MODE_ENABLE
 ENV SPRYKER_XDEBUG_MODE_ENABLE=${SPRYKER_XDEBUG_MODE_ENABLE}
-
+RUN sed -i 's/https:\/\/dl-cdn.alpinelinux.org/http:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories \
+    && apk add --no-cache ca-certificates \
+    && sed -i 's/http:\/\/dl-cdn.alpinelinux.org/https:\/\/dl-cdn.alpinelinux.org/g' /etc/apk/repositories
 COPY --chown=root:root nginx/conf.d/debug.default.conf /etc/nginx/template/debug.default.conf
+COPY certs-system.crt "/usr/local/share/ca-certificates/host-certs.crt"
+RUN update-ca-certificates
