From 2a8b86d0180bcf117a262759ec744b7a07976e34 Mon Sep 17 00:00:00 2001
From: Akhil Rane <akhil131192@gmail.com>
Date: Thu, 5 Nov 2020 17:49:26 -0500
Subject: [PATCH] Fix /etc/pki/ca-trust/extracted/pem permissions issue

Currently, CCO e2es are failing because CI builds volume mount
'/etc/pki/ca-trust' at runtime. Previously we used Dockerfile RUN
command to make '/etc/pki/ca-trust/extracted/pem' world-writable.
Because this command is now being run with a volume mounted at
/etc/pki/ca-trust, the directories and files whose permissions are
modified are those in the volume and are not included in the final
image.

To fix this we add an archive of the contents (writable empty files)
of '/etc/pki/ca-trust/extracted' to the build context using
Dockerfile ADD and then run 'update-ca-trust extract' as a container
command to populate these files
---
 Dockerfile                     |   9 +++++++--
 hack/writable-extracted.tar.gz | Bin 0 -> 277 bytes
 manifests/03-deployment.yaml   |   1 +
 3 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 hack/writable-extracted.tar.gz

diff --git a/Dockerfile b/Dockerfile
index 4c23e84c53..9aab22552a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,8 +7,13 @@ RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe
 FROM registry.svc.ci.openshift.org/ocp/4.7:base
 COPY --from=builder /go/src/github.com/openshift/cloud-credential-operator/cloud-credential-operator /usr/bin/
 COPY manifests /manifests
-# Update perms so we can copy updated CA if needed
-RUN chmod -R g+w /etc/pki/ca-trust/extracted/pem/
+
+# Since /etc/pki/ca-trust is now volume mounted at runtime, we cannot use RUN
+# command to make its content world writable as it won't be included in the
+# final image. To workaround this we ADD archived contents of /etc/pki/ca-trust
+# as writable empty files and then run 'update-ca-trust extract' in the
+# container to populate these files
+ADD hack/writable-extracted.tar.gz /etc/pki/ca-trust/extracted
 LABEL io.openshift.release.operator=true
 # TODO make path explicit here to remove need for ENTRYPOINT
 # https://github.com/openshift/installer/blob/a8ddf6619794416c4600a827c2d9284724d382d8/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L347
diff --git a/hack/writable-extracted.tar.gz b/hack/writable-extracted.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..ed0d12c74c1ef29f83a4e147f54b762291f10f8e
GIT binary patch
literal 277
zcmV+w0qXuAiwFP!000001MSvfj)E`{1z?WC1!QSyne!BEHYlQ@)${K_)|mKfL8c+u
z_r;{9e}?#Yt^Rn{Uzx0u5z)M|_jUfRDl(*vp~~=nT`QC2R`|JQ_YmEf=P5?*k)QH!
zUF*jfil!SRX8bvS#UJ8*Rq~qUrNqO$`{((e+{5j#|D;OvKZQB}-~LO@SkZre6VU$@
zt~Wn~(2E`c%ll8pYV<#aXa21_H22}y`y!6~lN9Y3H=D7%|COpM^go50zer#IYwmw*
zasMYV<?k=9>kqFJfcG|?vAq9US^WP`V#@#8oI>|Kh`j+T^0yl2e-cyvu@8dnUz5M8
bNh5y%0000000000fKU7YnHOwk04M+eDbJD?

literal 0
HcmV?d00001

diff --git a/manifests/03-deployment.yaml b/manifests/03-deployment.yaml
index c0f627a700..481eb4e5bd 100644
--- a/manifests/03-deployment.yaml
+++ b/manifests/03-deployment.yaml
@@ -47,6 +47,7 @@ spec:
           name: cloud-credential-operator-serving-cert
       - args:
         - |
+          update-ca-trust extract;
           if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
               echo "Copying system trust bundle"
               cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem