feat: switch to rustls to avoid compiling OpenSSL and relying on loca…

…l certs
vmware-labs · Nov 24, 2023 · 4597a02 · 4597a02
1 parent 641d773
commit 4597a02
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 34 deletions.
diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml
@@ -18,14 +18,14 @@ jobs:
             platform: unknown-linux-musl
             cross: false
             name: linux-musl
-            features: --features vendored-openssl
+            features:
           - build: linux
             arch: aarch64
             os: ubuntu-latest
             platform: unknown-linux-musl
             cross: true
             name: linux-musl
-            features: --features vendored-openssl
+            features:
           - build: windows
             arch: x86_64
             os: windows-latest
@@ -53,7 +53,7 @@ jobs:
             platform: apple-darwin
             cross: false
             name: macos-darwin
-            features: --features vendored-openssl
+            features:
     runs-on: ${{ matrix.os }}
     env:
       # This variable can be overriden with `cross` for builds that

diff --git a/.github/workflows/container-preview.yml b/.github/workflows/container-preview.yml
@@ -45,7 +45,7 @@ jobs:
         sudo apt-get update
         sudo apt-get install musl-tools
     - name: Build
-      run: ${{env.CARGO}} build --release --target=${{ matrix.arch }}-${{ matrix.platform }} --features vendored-openssl
+      run: ${{env.CARGO}} build --release --target=${{ matrix.arch }}-${{ matrix.platform }}
     - name: Upload artifact
       uses: actions/upload-artifact@v3
       with:

diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml
@@ -46,7 +46,7 @@ jobs:
         sudo apt-get update
         sudo apt-get install musl-tools
     - name: Build
-      run: ${{env.CARGO}} build --release --target=${{ matrix.arch }}-${{ matrix.platform }} --features vendored-openssl
+      run: ${{env.CARGO}} build --release --target=${{ matrix.arch }}-${{ matrix.platform }}
     - name: Upload artifact
       uses: actions/upload-artifact@v3
       with:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -43,8 +43,6 @@ wws_config = []
 wws_router = []
 wws_server = []
 
-vendored-openssl = ["wws-project/vendored-openssl"]
-
 [workspace]
 members = [
   "crates/api-manage",
@@ -77,7 +75,7 @@ exclude = [
 [workspace.dependencies]
 actix-web = "4"
 lazy_static = "1.4.0"
-reqwest = "0.11"
+reqwest = { version = "0.11", features = ["rustls"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.85"
 tokio = "1.28"
@@ -99,4 +97,3 @@ wasmtime-wasi = "13.0.0"
 wasmtime-wasi-nn = "13.0.0"
 wasi-common = "13.0.0"
 path-slash = "0.2.1"
-openssl = { version = "=0.10.55" }
diff --git a/crates/project/Cargo.toml b/crates/project/Cargo.toml
@@ -16,11 +16,6 @@ wws-store = { workspace = true }
 url = "2.3.1"
 sha256 = "1.1.1"
 git2 = "0.17.2"
-# Not all platforms require OpenSSL
-openssl = { workspace = true, optional = true }
-
-[features]
-vendored-openssl = ["openssl/vendored"]
 
 [dev-dependencies]
 path-slash = { workspace = true }
diff --git a/image/Dockerfile b/image/Dockerfile
@@ -1,6 +1,4 @@
 # Build wasm_runtime in release mode
-
-
 FROM --platform=$TARGETPLATFORM rust:1.71.0-slim as build-wws
 ARG WWS_BUILD_DIR=/usr/src/wws
 ARG TARGETPLATFORM
@@ -19,15 +17,13 @@ RUN set -eux; \
         *) echo >&2 "unsupported architecture: $BUILDPLATFORM"; exit 1 ;; \
     esac; \
     rustup target add $bldArch; \
-    cargo build --release --features vendored-openssl --target=$bldArch; \
+    cargo build --release --target=$bldArch; \
     mkdir ./build; \
     cp ./target/$bldArch/release/wws ./build/wws
 
-
+# Build the image
 FROM --platform=$TARGETPLATFORM debian:bullseye-slim
 ARG WWS_BUILD_DIR=/usr/src/wws
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends ca-certificates
 RUN mkdir -p /app
 RUN mkdir -p /opt
 COPY --from=build-wws ${WWS_BUILD_DIR}/build/wws /opt

diff --git a/image/Prebuilt.dockerfile b/image/Prebuilt.dockerfile
@@ -2,10 +2,9 @@
 # is mainly used to build the preview / release container images in
 # GitHub actions
 
-# Retrieve the certificates to install runtimes later on.
+# Create the folders for the main container
 FROM --platform=$TARGETPLATFORM bitnami/minideb:latest AS sysroot
 RUN mkdir -p /target/app /target/opt
-RUN install_packages ca-certificates
 
 # Build the final image
 FROM --platform=$TARGETPLATFORM scratch
@@ -17,7 +16,6 @@ LABEL org.opencontainers.image.licenses="Apache-2.0"
 
 COPY --from=sysroot /target/app /app
 COPY --from=sysroot /target/opt /opt
-COPY --from=sysroot /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --chmod=755 ./wws-$TARGETARCH /opt/wws
 
 ENTRYPOINT ["/opt/wws"]