how do I add root certificate and keep only in docker build time?

Question

the question has 2 parts, the 1st part: how to add root certificate? is simple and we can have reference from like How do I add a CA root certificate inside a docker image?

the 2nd part, which is what I actually want to ask, is: how to keep the root certificate only in docker build time?

maybe we can use buildctl and RUN --mount=type=secret; but it cannot cover all cases.

say I would like to pass sites with self-signed certificate like:

RUN curl https://x01.self-signed-site/obj01
RUN npm install --registry https://x02.self-signed-site/npm
RUN pip install -i https://x03.self-signed-site/pypi/simple
RUN mvn install
...

thus, we need to config certificate for each tool:

(prepare certificate and prepare .npmrc, .curlrc, ...)
(for, curl, npm, pip, we can use env vars; but we cannot guarantee we can use this way for other tools)

therefore, we need to download self-signed certificate into image and also modify some files to apply the cert config. how to keep the change only in build time (no persistent layer in final image)?

Answer 1

we resolved this problem by using docker save and docker load; but currently, docker load does not work as we expect (see also how to keep layers when do `docker load`)

anyway, below is our solution in pseudo-code:

docker save -o out.tar <image>
mkdir contents && cd contents
tar xf ../out.tar
open manifest.json, get config <hash>.json as config.json

remove target layers in:
- config.json[history]
- config.json[rootfs][diff_ids]
- manifest.json[0][Layers]

remove layer tarballs (get layer_hashes from maniefst.josn[0][Layers]):
- <layer_hash>/*

fill gap between missing layers:
- <layer_hash_next>/json[parent] = <layer_hash_prev>

tar cf ../new.tar *
docker rmi <image>
docker load -i ../new.tar

ref: https://github.com/stallpool/track-network-traffic/blob/main/bin/docker_image_cleanup.py