feat(tls): Add AWS RDS CA certificates to node images

[gsporterfield]

Add AWS RDS CA certificates to enable trusted TLS connections with RDS in any region.

• Sets env var NODE_EXTRA_CA_CERTS for node.
• Adds the certs to the OS trust store with update-ca-certificates.
• Related to Slack conversations here and here, caused by attempts to upgrade to PostgreSQL 17.

[ivorisoutdoors]

Could we move some of this stuff up and merge the RUN and ENV so we have less layers?

[gsporterfield]

Could we move some of this stuff up and merge the RUN and ENV so we have less layers?

The ADD could be a curl inside the RUN, but I'm not sure what "merge the RUN and ENV" means exactly? Definitely open to a specific suggestion here.

In this node-specific case, the original file from the ADD is kept around since we're setting NODE_EXTRA_CA_CERTS to point at it for all downstream users of this image. It looks like ADD has some caching benefits vs the curl/wget method as well, and is the recommended method for adding files to an image (I just learned this).

[ivorisoutdoors]

Something like this

# tags=articulate/node:24
# syntax=docker/dockerfile:1
FROM node:24-bookworm-slim

ENV SERVICE_ROOT=/service SERVICE_USER=service SERVICE_UID=1001 NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem

ARG TARGETARCH

ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages
ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh
ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem

RUN install_packages make dumb-init ca-certificates && /tmp/awscli.sh && rm /tmp/awscli.sh \
    # Create our own user and remove the node user
    && groupadd --gid $SERVICE_UID $SERVICE_USER \
    && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \
    && userdel -r node \
    # Enable Corepack
    && npm install --global corepack@0.33.0 \
    && corepack enable \
    # Split PEM bundle into individual cert files for update-ca-certificates
    && csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \
        /usr/local/share/ca-certificates/aws-rds-global-bundle.pem  \
        '/-----BEGIN CERTIFICATE-----/' '{*}' \
    && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \
    && update-ca-certificates

ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/download/docker-bootstrap_linux_${TARGETARCH} /entrypoint
ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets
ADD --chmod=755 https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh /wait-for-it.sh

USER $SERVICE_USER
WORKDIR $SERVICE_ROOT

# Our entrypoint will pull in our environment variables from Consul and Vault,
# and execute whatever command we provided the container.
# See https://github.com/articulate/docker-bootstrap
ENTRYPOINT [ "dumb-init", "--", "/entrypoint" ]

[gsporterfield]

@ivorisoutdoors thanks, updated in 26d662f

[ivorisoutdoors]

Do we need to do this for our other Docker images?

[gsporterfield]

Do we need to do this for our other Docker images?

I don't know if other languages have the equivalent of NODE_EXTRA_CA_CERTS, but yes, having the RDS CA certs trusted via update-ca-certificates will be desired on all of our base images.