Allow paths inside $CI_BUILDS_DIR for custom CA certificates
Summary
In the current version v0.7.0, custom CA certificates can only be provided using a relative path, as the current working directory always is prepended.
This is an issue when CI file variables are used which are provided using an absolute path.
Steps to reproduce
-
Create a file variable
MY_CA
containing the custom CA certificate. -
Call
release-cli
in the pipeline like this:
release-cli --additional-ca-cert-bundle $MY_CA create ...
- Get annoyed at the following error:
time="2021-05-14T12:14:00Z" level=fatal msg="open /builds/<my-group>/<my-project>/builds/<my-group>/<my-project>.tmp/MY_CA: no such file or directory" cli=release-cli version=0.7.0
What is the current bug behavior?
The current working directory is prepended to the custom CA path, even when an absolute path is given.
What is the expected correct behavior?
The working directory is only prepended for relative paths.
Relevant logs and/or screenshots
Pipeline output:
$ release-cli --version
release-cli version 0.7.0
$ echo $MY_CA
/builds/<my-group>/<my-project>.tmp/MY_CA
$ release-cli --additional-ca-cert-bundle $MY_CA create --tag-name $CI_COMMIT_TAG --ref $CI_COMMIT_SHA --name "Release ${CI_COMMIT_TAG}" --description "Release ${CI_COMMIT_TAG}"
time="2021-05-14T12:14:00Z" level=fatal msg="open /builds/<my-group>/<my-project>/builds/<my-group>/<my-project>.tmp/MY_CA: no such file or directory" cli=release-cli version=0.7.0
Cleaning up file based variables 00:01
ERROR: Job failed: exit code 1
Possible fixes
Relevant line in the getCA
function: https://gitlab.com/gitlab-org/release-cli/-/blob/v0.7.0/internal/app/http_client.go#L80. Remove lines 80-89.
Workarounds:
- Do not use file variables (annoying, because other tools require file variables).
- Create a temporary local file (ugly):
cat $MY_CA > asd
release-cli --additional-ca-cert-bundle asd create ...
- Of course, you could just use the
ADDITIONAL_CA_CERT_BUNDLE
variable, but this would require changing all other occurences aswell (or maintaining two CA variables).
Proposed solution
Could we change that to check if the path resides under the current build directory or the build's tmp
directory? Would that cover most (all?) use cases?
Constraint to $CI_BUILDS_DIR
instead of $CI_PROJECT_DIR