From f22369fab004d461b21a05d6a9516095512eb41b Mon Sep 17 00:00:00 2001 From: James Vaughan Date: Mon, 9 Feb 2026 16:36:39 -0500 Subject: [PATCH] Add Dockerfile and Makefile for running release.sh locally --- .dockerignore | 16 +++++++++++ Dockerfile | 41 ++++++++++++++++++++++++++++ Makefile | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 Makefile diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..b03cbb94 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,16 @@ +# Git +.git +.gitignore + +# IDE +.idea +.vscode +*.swp +*.swo + +# Build artifacts that will be regenerated +vendor/ + +# Docker files +Dockerfile +.dockerignore diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..c94dae1c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,41 @@ +# Dockerfile for cfssl_trust release environment +# Provides Go 1.24, certdump, cfssl tools, and cfssl-trust + +FROM golang:1.24-bookworm + +# Install git and update CA certificates +RUN apt-get update && apt-get install -y \ + git \ + ca-certificates \ + && update-ca-certificates \ + && rm -rf /var/lib/apt/lists/* + +# Allow git to work with mounted directories (different ownership) +RUN git config --global --add safe.directory /cfssl_trust + +# Install certdump, pinning to v1.7.7 to avoid cert issues in later versions +RUN go install git.wntrmute.dev/kyle/goutils/cmd/certdump@v1.7.7 + +# Install cfssl tools +RUN go install github.com/cloudflare/cfssl/cmd/... + +# Set working directory +WORKDIR /cfssl_trust + +# Copy go.mod and go.sum first for better caching +COPY go.mod go.sum ./ + +# Download dependencies +RUN go mod download + +# Copy the rest of the source code +COPY . . + +# Build and install cfssl-trust from local source +RUN go install ./cmd/cfssl-trust + +# Ensure binaries are in PATH +ENV PATH="/go/bin:${PATH}" + +# Default command +CMD ["./release.sh"] diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..bf9144e9 --- /dev/null +++ b/Makefile @@ -0,0 +1,75 @@ +# Makefile for cfssl_trust local development +# Provides Docker-based release workflow with volume mounting for new certs + +IMAGE_NAME := cfssl-trust-release +CONTAINER_NAME := cfssl-trust-release-container + +# Environment variables passed to release.sh +EXPIRATION_WINDOW ?= 0h +NOGIT ?= +ALLOW_SKIP_PR ?= + +# Certificate files (relative to repo root, mounted automatically) +NEW_ROOTS ?= +NEW_INTERMEDIATES ?= + +.PHONY: build run release shell clean help + +help: + @echo "cfssl_trust Docker-based release workflow" + @echo "" + @echo "Usage:" + @echo " make build Build the Docker image" + @echo " make release Run release.sh in Docker (NOGIT=1 by default)" + @echo " make release-full Run full release with git operations" + @echo " make shell Open a shell in the container" + @echo " make clean Remove Docker image and containers" + @echo "" + @echo "Adding new certificates:" + @echo " make release NEW_ROOTS=NEW_ROOTS.pem NEW_INTERMEDIATES=NEW_INTERMEDIATES.pem" + @echo "" + @echo "Environment variables:" + @echo " EXPIRATION_WINDOW Minimum cert validity (default: 0h)" + @echo " NEW_ROOTS Path to new root certs file (e.g., NEW_ROOTS.pem)" + @echo " NEW_INTERMEDIATES Path to new intermediate certs file (e.g., NEW_INTERMEDIATES.pem)" + @echo " NOGIT Set to skip git operations (default: 1 for 'release' target)" + @echo "" + +# Build the Docker image with the latest cfssl_trust code +build: + docker build -t $(IMAGE_NAME) . + +# Run release.sh with NOGIT=1 (safe for local testing) +release: build + docker run --rm \ + -v $(CURDIR):/cfssl_trust \ + -w /cfssl_trust \ + -e EXPIRATION_WINDOW=$(EXPIRATION_WINDOW) \ + -e ALLOW_SKIP_PR=$(ALLOW_SKIP_PR) \ + -e NOGIT=1 \ + $(if $(NEW_ROOTS),-e NEW_ROOTS=$(NEW_ROOTS)) \ + $(if $(NEW_INTERMEDIATES),-e NEW_INTERMEDIATES=$(NEW_INTERMEDIATES)) \ + $(IMAGE_NAME) ./release.sh + +# Run full release with git operations (use with caution) +release-full: build + docker run --rm \ + -v $(CURDIR):/cfssl_trust \ + -w /cfssl_trust \ + -e EXPIRATION_WINDOW=$(EXPIRATION_WINDOW) \ + -e ALLOW_SKIP_PR=$(ALLOW_SKIP_PR) \ + $(if $(NEW_ROOTS),-e NEW_ROOTS=$(NEW_ROOTS)) \ + $(if $(NEW_INTERMEDIATES),-e NEW_INTERMEDIATES=$(NEW_INTERMEDIATES)) \ + $(IMAGE_NAME) ./release.sh + +# Open an interactive shell in the container for debugging +shell: build + docker run --rm -it \ + -v $(CURDIR):/cfssl_trust \ + -w /cfssl_trust \ + $(IMAGE_NAME) /bin/bash + +# Clean up Docker resources +clean: + -docker rmi $(IMAGE_NAME) 2>/dev/null || true + -docker rm -f $(CONTAINER_NAME) 2>/dev/null || true