fix: add ca-certificates (#22)

jaredLunde · web-flow · commit 558a1db6bde2 · 2024-05-27T14:11:05.000-07:00
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ related to this tool.
 - [x] Support for a wide range of the most popular languages and frameworks including Next.js, Phoenix, Spring Boot, Django, and more
 - [x] Use Debian Slim as the runtime image for a smaller image size and better security, while still supporting the most common dependencies and avoiding deployment headaches caused by Alpine Linux gotchas
 - [x] Includes `wget` in the runtime image for adding health checks to services, e.g. `wget -nv -t1 --spider 'http://localhost:8080/healthz' || exit 1`
+- [x] Includes `ca-certificates` in the runtime image to allow secure HTTPS connections
 - [x] Use multi-stage builds to reduce the size of the final image
 - [x] Run the application as a non-root user for better security
 - [x] Supports multi-platform images that run on both x86 and ARM CPU architectures
diff --git a/runtime/bun.go b/runtime/bun.go
@@ -157,7 +157,8 @@ RUN  if [ ! -z "${BUILD_CMD}" ]; then sh -c "$BUILD_CMD"; fi
 FROM oven/bun:${VERSION}-slim AS runtime
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/deno.go b/runtime/deno.go
@@ -174,7 +174,8 @@ FROM denoland/deno:${VERSION} as base
 FROM debian:stable-slim
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/elixir.go b/runtime/elixir.go
@@ -109,6 +109,7 @@ RUN mix release
 FROM debian:stable-slim AS runtime
 WORKDIR /app
 RUN apt-get update && apt-get install -y --no-install-recommends wget libstdc++6 openssl libncurses5 locales ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 
 RUN chown -R nonroot:nonroot /app
diff --git a/runtime/golang.go b/runtime/golang.go
@@ -122,7 +122,8 @@ RUN CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -t
 
 FROM debian:stable-slim
 WORKDIR /app
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/java.go b/runtime/java.go
@@ -157,7 +157,8 @@ FROM eclipse-temurin:${VERSION}-jdk AS runtime
 WORKDIR /app
 VOLUME /tmp
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/nextjs.go b/runtime/nextjs.go
@@ -144,7 +144,8 @@ ENV NODE_ENV=production
 # Uncomment the following line in case you want to disable telemetry during runtime.
 ENV NEXT_TELEMETRY_DISABLED 1
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
@@ -201,7 +202,8 @@ RUN if [ -f yarn.lock ]; then yarn run build; \
 FROM base AS runner
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/node.go b/runtime/node.go
@@ -188,7 +188,8 @@ RUN  if [ ! -z "${BUILD_CMD}" ]; then sh -c "$BUILD_CMD"; fi
 FROM base AS runtime
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --disabled-login --ingroup nonroot nonroot
 ENV COREPACK_HOME=/app/.cache
 RUN mkdir -p /app/.cache
diff --git a/runtime/php.go b/runtime/php.go
@@ -154,7 +154,8 @@ RUN if [ ! -z "${BUILD_CMD}" ]; then sh -c "$BUILD_CMD"; fi
 
 FROM php:${VERSION}-apache AS runtime
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot	
 	
 ENV PORT=8080
diff --git a/runtime/python.go b/runtime/python.go
@@ -161,7 +161,8 @@ var pythonTemplate = strings.TrimSpace(`
 ARG VERSION={{.Version}}
 FROM python:${VERSION}-slim
 WORKDIR /app
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
diff --git a/runtime/ruby.go b/runtime/ruby.go
@@ -133,7 +133,8 @@ var rubyTemplate = strings.TrimSpace(`
 ARG VERSION={{.Version}}
 FROM ruby:${VERSION}-slim
 WORKDIR /app
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 
 ARG INSTALL_CMD={{.InstallCMD}}
diff --git a/runtime/rust.go b/runtime/rust.go
@@ -110,7 +110,8 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then cargo zigbuild --release --target x86
 FROM debian:stable-slim AS runtime
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y --no-install-recommends wget && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN update-ca-certificates 2>/dev/null || true
 RUN addgroup --system nonroot && adduser --system --ingroup nonroot nonroot
 RUN chown -R nonroot:nonroot /app
 
