Custom Certificate Authorities
Dagger can be configured to use custom certificate authorities (CAs) when communicating with external services like container registries, Git repositories, etc.
There is additional best-effort support for automatic installation of these custom CAs in user containers.
Configuring the engine with custom CAs currently requires provisioning a custom engine.
To be applied, the custom CAs should be placed in the /usr/local/share/ca-certificates/ directory of the Dagger container. No further commands are necessary; the CAs will be automatically installed on Dagger startup if found in that directory.
Configuration Applied to User Containers
As mentioned above, there is best-effort support for automatically installing Dagger's custom CAs in all containers created by user pipelines (i.e. those created via a withExec API call).
This is useful so that Dagger code you are not in direct control of (e.g. an external module dependency) does not need to be forked and updated to use your custom CAs in order to operate in your network where those CAs may be strictly required.
The support is best-effort because CAs are not standardized, which means the exact way they are configured depends on base image of the container.
Currently, Dagger supports automatically installing custom CAs in images with the following base distributions:
- Alpine
- Debian-based (e.g.
debianandubuntu) - Redhat-based (e.g.
rhel,fedora,centos, etc.)
If custom CAs are installed and Dagger detects one of these base images are being used, it will attempt to install the custom CAs into the container before executing it.
- If the installation fails, the error is logged but execution continues without the CA being installed.
- When the container exits, the CAs are also automatically removed to prevent them from leaking into the cache or into any published images.