[candi] install ca-certificate from rpp (#9246)

Signed-off-by: Nikolay Gorbatov <nikolay.gorbatov@flant.com>

candi/bashible/bashbooster/56_detect_bundle.sh

@@ -68,7 +68,7 @@ bb-is-bundle(){
       bb-exit 1 "ERROR: Can't determine OS! No ID in /etc/os-release."
     ;;
   esac
-  
+
   if [ -n "$os" ]; then
     echo "$os"
   else

candi/bashible/bundles/ubuntu-lts/all/002_install_ca_certificates.sh.tpl → candi/bashible/common-steps/all/002_install_ca_certificates.sh.tpl

@@ -1,4 +1,4 @@
-# Copyright 2021 Flant JSC
+# Copyright 2024 Flant JSC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,22 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Avoid problems with expired ca-certificates
-bb-apt-install --force ca-certificates
+bb-package-install "d8-ca-updater:{{ .images.registrypackages.d8CaUpdater060824 }}"
 
-{{- if .registry.ca }}
-bb-event-on 'registry-ca-changed' '_update_ca_certificates'
-_update_ca_certificates() {
-  bb-flag-set containerd-need-restart
-  update-ca-certificates
-}
+REGISTRY_CACERT_PATH="/opt/deckhouse/share/ca-certificates/registry-ca.crt"
 
-bb-sync-file /usr/local/share/ca-certificates/registry-ca.crt - registry-ca-changed << "EOF"
+{{- if .registry.ca }}
+bb-sync-file $REGISTRY_CACERT_PATH - << "EOF"
 {{ .registry.ca }}
 EOF
 {{- else }}
-if [ -f /usr/local/share/ca-certificates/registry-ca.crt ]; then
-  rm -f /usr/local/share/ca-certificates/registry-ca.crt
-  _update_ca_certificates
+if [ -f $REGISTRY_CACERT_PATH ]; then
+  rm -f $REGISTRY_CACERT_PATH
 fi
 {{- end }}

candi/bashible/common-steps/all/006_fetch_registry_packages.sh.tpl

@@ -15,4 +15,4 @@
 {{- $kubernetesVersion := printf "%s%s" (.kubernetesVersion | toString) (index .k8s .kubernetesVersion "patch" | toString) | replace "." "" }}
 {{- $kubernetesCniVersion := "1.4.0" | replace "." "" }}
 
-bb-package-fetch "kubernetes-cni:{{ index .images.registrypackages (printf "kubernetesCni%s" $kubernetesCniVersion) | toString }}" "kubectl:{{ index .images.registrypackages (printf "kubectl%s" $kubernetesVersion) | toString }}" "kubelet:{{ index .images.registrypackages (printf "kubelet%s" $kubernetesVersion) | toString }}" "containerd:{{- index $.images.registrypackages "containerd1713" }}" "crictl:{{ index .images.registrypackages (printf "crictl%s" (.kubernetesVersion | replace "." "")) | toString }}" "toml-merge:{{ .images.registrypackages.tomlMerge01 }}" "d8:{{ .images.registrypackages.d8 }}"
+bb-package-fetch "kubernetes-cni:{{ index .images.registrypackages (printf "kubernetesCni%s" $kubernetesCniVersion) | toString }}" "kubectl:{{ index .images.registrypackages (printf "kubectl%s" $kubernetesVersion) | toString }}" "kubelet:{{ index .images.registrypackages (printf "kubelet%s" $kubernetesVersion) | toString }}" "containerd:{{- index $.images.registrypackages "containerd1720" }}" "crictl:{{ index .images.registrypackages (printf "crictl%s" (.kubernetesVersion | replace "." "")) | toString }}" "toml-merge:{{ .images.registrypackages.tomlMerge01 }}" "d8:{{ .images.registrypackages.d8 }}"

candi/bashible/common-steps/node-group/002_install_ms_ca_certificates.sh.tpl

@@ -12,14 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-mkdir -p /usr/local/share/d8-ca-certificates/
+mkdir -p /opt/deckhouse/share/ca-certificates/
 
 {{- if eq .runType "Normal" }}
 	{{- range $registryAddr,$ca := .normal.moduleSourcesCA }}
 		{{- if $ca }}
 
 bb-log-info "Sync moduleSource CA for {{ $registryAddr }}"
-bb-sync-file /usr/local/share/d8-ca-certificates/{{ $registryAddr | lower }}-ca.crt - << "EOF"
+bb-sync-file /opt/deckhouse/share/ca-certificates/{{ $registryAddr | lower }}-ca.crt - << "EOF"
 {{ $ca }}
 EOF
 		{{- end }}

candi/bashible/common-steps/node-group/031_install_containerd.sh.tpl

@@ -39,5 +39,5 @@ post-install() {
   fi
 }
 
-bb-package-install "containerd:{{- index $.images.registrypackages "containerd1713" }}" "crictl:{{ index .images.registrypackages (printf "crictl%s" (.kubernetesVersion | replace "." "")) | toString }}" "toml-merge:{{ .images.registrypackages.tomlMerge01 }}"
+bb-package-install "containerd:{{- index $.images.registrypackages "containerd1720" }}" "crictl:{{ index .images.registrypackages (printf "crictl%s" (.kubernetesVersion | replace "." "")) | toString }}" "toml-merge:{{ .images.registrypackages.tomlMerge01 }}"
 {{- end }}

candi/bashible/common-steps/node-group/032_configure_containerd.sh.tpl

@@ -145,16 +145,20 @@ oom_score = 0
       [plugins."io.containerd.grpc.v1.cri".registry.configs]
         [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .registry.address }}".auth]
           auth = "{{ .registry.auth | default "" }}"
+  {{- if .registry.ca }}
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .registry.address }}".tls]
+          ca_file = "/opt/deckhouse/share/ca-certificates/registry-ca.crt"
+  {{- end }}
   {{- if eq .registry.scheme "http" }}
         [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .registry.address }}".tls]
           insecure_skip_verify = true
   {{- end }}
   {{- if eq .runType "Normal" }}
     {{- range $registryAddr,$ca := .normal.moduleSourcesCA }}
-			{{- if $ca }}
+      {{- if $ca }}
         [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ $registryAddr | lower }}".tls]
-          ca_file = "/usr/local/share/d8-ca-certificates/{{ $registryAddr | lower }}-ca.crt"
-			{{- end }}
+          ca_file = "/opt/deckhouse/share/ca-certificates/{{ $registryAddr | lower }}-ca.crt"
+      {{- end }}
     {{- end }}
   {{- end }}
     [plugins."io.containerd.grpc.v1.cri".image_decryption]

ee/fe/modules/040-node-manager/.build.yaml

@@ -0,0 +1 @@
+templates/ngc-ca-certificate.yaml

ee/fe/modules/040-node-manager/templates/ngc-ca-certificate.yaml

@@ -0,0 +1,29 @@
+apiVersion: deckhouse.io/v1alpha1
+kind: NodeGroupConfiguration
+metadata:
+  name: install-pkg-ca-certificates.sh
+  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
+spec:
+  weight: 2
+  nodeGroups: ["*"]
+  bundles: ["*"]
+  content: |
+    # Copyright 2024 Flant JSC
+    #
+    # Licensed under the Apache License, Version 2.0 (the "License");
+    # you may not use this file except in compliance with the License.
+    # You may obtain a copy of the License at
+    #
+    #     http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS,
+    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    # See the License for the specific language governing permissions and
+    # limitations under the License.
+
+    case $(bb-is-bundle) in
+      debian|ubuntu-lts|astra)  bb-apt-install ca-certificates ;;
+      altlinux)                 bb-apt-rpm-install ca-certificates ;;
+      centos|redos|rosa)        bb-yum-install ca-certificates ;;
+    esac

modules/007-registrypackages/images/containerd/werf.inc.yaml

@@ -1,6 +1,6 @@
-{{- $containerd_version := "1.7.13" }}
+{{- $containerd_version := "1.7.20" }}
 {{- $image_version := $containerd_version | replace "." "-" }}
-{{- $runc_version := "1.1.12" }}
+{{- $runc_version := "1.1.13" }}
 ---
 image: {{ $.ModuleName }}/{{ $.ImageName }}-{{ $image_version }}
 from: {{ $.Images.BASE_SCRATCH }}

modules/007-registrypackages/images/d8-ca-updater/ca-certificates/mozilla/blacklist.txt

@@ -0,0 +1,7 @@
+# One blacklist entry per line, corresponding to the label in certdata.txt.
+
+# Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
+"Explicitly Distrust DigiNotar Root CA"
+
+# Expired CAs
+