I was experimenting with the buildah plugin for Woodpecker CI and had a hard time figuring out how to inject my local certificate authority into the mix…until I realized I had missed something fundamental about Woodpecker CI.
I was experimenting with the mermaid parser from xai-grok-markdown that Simon Willison discovered and transformed into a WASM application, but I wanted to build and package it as an OCI container (due to reasons). I decided to do this with the buildah plugin for Woodpecker CI, also due to reasons.
This worked fine1 but ran into issues with my registries internally issued certificate. Luckily, I finally understood that I can use volumes even with plugins – I could just bind mount my internal CA into the container!
when:
- event: pull_request
steps:
- name: buildah
image: registry.example.com/ghcr/plugin-buildah:v1.1.1
privileged: true
volumes:
- /usr/local/share/ca-certificates/internalCA.crt:/etc/containers/certs.d/registry.example.com/ca.crt:ro
settings:
mirror: registry.example.com/dockerhub
repo: mermaid-grok/mermaid-grok
cache_repo: mermaid-grok/build-cache
tags: devbuild
registry: registry.example.com
username:
from_secret: harbor-username
password:
from_secret: harbor-password
I think I can simplify a few other woodpecker workflows now, previously I have used an ‘init container’ to install the CA…
Running it as a privileged container? Ew… ↩︎