Skip to content

Allow paths inside $CI_BUILDS_DIR for custom CA certificates

Summary

In the current version v0.7.0, custom CA certificates can only be provided using a relative path, as the current working directory always is prepended.

This is an issue when CI file variables are used which are provided using an absolute path.

Steps to reproduce

  1. Create a file variable MY_CA containing the custom CA certificate.

  2. Call release-cli in the pipeline like this:

release-cli --additional-ca-cert-bundle $MY_CA create ...
  1. Get annoyed at the following error:
time="2021-05-14T12:14:00Z" level=fatal msg="open /builds/<my-group>/<my-project>/builds/<my-group>/<my-project>.tmp/MY_CA: no such file or directory" cli=release-cli version=0.7.0

What is the current bug behavior?

The current working directory is prepended to the custom CA path, even when an absolute path is given.

What is the expected correct behavior?

The working directory is only prepended for relative paths.

Relevant logs and/or screenshots

Pipeline output:

$ release-cli --version
release-cli version 0.7.0
$ echo $MY_CA
/builds/<my-group>/<my-project>.tmp/MY_CA
$ release-cli --additional-ca-cert-bundle $MY_CA create --tag-name $CI_COMMIT_TAG --ref $CI_COMMIT_SHA --name "Release ${CI_COMMIT_TAG}" --description "Release ${CI_COMMIT_TAG}"
time="2021-05-14T12:14:00Z" level=fatal msg="open /builds/<my-group>/<my-project>/builds/<my-group>/<my-project>.tmp/MY_CA: no such file or directory" cli=release-cli version=0.7.0
Cleaning up file based variables 00:01
ERROR: Job failed: exit code 1

Possible fixes

Relevant line in the getCA function: https://gitlab.com/gitlab-org/release-cli/-/blob/v0.7.0/internal/app/http_client.go#L80. Remove lines 80-89.

Workarounds:

  • Do not use file variables (annoying, because other tools require file variables).
  • Create a temporary local file (ugly):
    • cat $MY_CA > asd
    • release-cli --additional-ca-cert-bundle asd create ...
  • Of course, you could just use the ADDITIONAL_CA_CERT_BUNDLE variable, but this would require changing all other occurences aswell (or maintaining two CA variables).

Proposed solution

Could we change that to check if the path resides under the current build directory or the build's tmp directory? Would that cover most (all?) use cases?

Constraint to $CI_BUILDS_DIR instead of $CI_PROJECT_DIR

Edited by Jaime Martinez