From a672ff92882223601ceb20edde54778fc4545a92 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Tue, 18 Jan 2022 12:40:27 -0500
Subject: [PATCH] distroless: fetch CA certificates in builder stage

...so that we don't rely on a package manager to bring these down into the
runner stage.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 68049867..7ce70100 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.17.6-alpine3.14 AS builder
 
 WORKDIR /usr/local/src/dex
 
-RUN apk add --no-cache --update alpine-sdk
+RUN apk add --no-cache --update alpine-sdk ca-certificates openssl
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -39,8 +39,8 @@ FROM alpine:3.15.0
 # Proper installations should manage those certificates, but it's a bad user
 # experience when this doesn't work out of the box.
 #
-# OpenSSL is required so wget can query HTTPS endpoints for health checking.
-RUN apk add --no-cache --update ca-certificates openssl
+# See https://go.dev/src/crypto/x509/root_linux.go for Go root CA bundle locations.
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 RUN mkdir -p /var/dex
 RUN chown -R 1001:1001 /var/dex