test that the ca-certs bundle works in scratch containers
Go to file
leo 3baa6fc079
add option to build+run stuff with Nix
* add flake.nix
* update .gitignore
* add .envrc to allow direnv autoloading
* describe how to use this in the README.md
2023-03-09 16:48:11 +01:00
.editorconfig add .editorconfig 2023-03-09 16:45:44 +01:00
.envrc add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
.gitattributes add .gitattributes 2023-03-09 16:45:17 +01:00
.gitignore add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
Containerfile Containerfile: use scratch-with-cacerts directly 2023-03-09 14:38:48 +01:00
Containerfile.certfail initial commit 2023-03-08 17:59:17 +01:00
default.nix add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
flake.lock add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
flake.nix add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
go.mod initial commit 2023-03-08 17:59:17 +01:00
main.go initial commit 2023-03-08 17:59:17 +01:00
Makefile initial commit 2023-03-08 17:59:17 +01:00
README.md add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00
run.go initial commit 2023-03-08 17:59:17 +01:00
shell.nix add option to build+run stuff with Nix 2023-03-09 16:48:11 +01:00

certs-test

this repo contains a program that tries to connect to a TLS protected endpoint. there are two variants of a Containerfile:

  • Containerfile - here the program should be able to successfully connect to a TLS-protected endpoint from a scratch container because the ca-certs bundle has been copied in.
  • Containerfile.certfail - here the ca-certs bundle is missing, therefore the program should fail with the following:

    2023/03/08 18:31:00 connecting to https://<endpoint> panic: Get "https://<endpoint>": tls: failed to verify certificate: x509: certificate signed by unknown authority

build and run using Go

to manually build and run the app, run:

go build -v . && ./certs-test -endpoint=<yoursite.tld>

build and run using podman

to build a container in which the app will be able to connect to a TLS connected endpoint, run:

podman build -tcerts-test:success -f Dockerfile .

alternatively, run make or make certsuccess

to build a container that will yield a CA cert validation failure (because of the missing ca-cert bundle), run:

podman build -tcerts-test:fail -f Dockerfile .

alternatively, run make certfail

to run the container, do

podman run localhost/certs-test:success

or

podman run localhost/certs-test:fail

based on which one you'd like to run.

build and run using Nix

build the flake's success and failure containers:

# build "success" first.
nix build .#success
podman load <result
# run the container loaded in the previous step.
podman run --rm localhost/certs-test:nix-success

# build the "failure".
nix build .#failure
# load the newly built container and run it.
podman load <result && \
podman run --rm localhost/certs-test:nix-fail

# inspect the containers.
podman inspect localhost/certs-test:nix-{success,fail}

build and run the app directly:

nix build .#certs-test && ./result/bin/certs-test

LICENSE

CC0