fix: add cacerts to ubi docker image

[kruskall]

Motivation/summary

the ubi docker image doesn't include cacerts, use the chainguard base image to retrieve them so we can use dependency management to keep them updated

note: 8.x is not affected because it's using the ubuntu image but it seems we're vendoring the cacerts there so there's value in backporting this

Checklist

• Update CHANGELOG.asciidoc
• Documentation has been updated

For functional changes, consider:

• Is it observable through the addition of either logging or metrics?
• Is its use being published in telemetry to enable product improvement?
• Have system tests been added to avoid regression?

How to test these changes

• print the x509.systemcertpool on startup
• docker build --build-arg=GOLANG_VERSION=1.24.3 -t apm-server-test -f packaging/docker/Dockerfile .
• run the image and observe the output

Related issues

Closes #16918

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[carsonip]

Q about backporting:

note: 8.x is not affected because it's using the ubuntu image but it seems we're vendoring the cacerts there so there's value in backporting this

Do you expect to remove the vendoring (packaging/docker/cacert.pem) and use chainguard /etc/pki and /etc/ssl instead?

[kruskall]

Do you expect to remove the vendoring (packaging/docker/cacert.pem) and use chainguard /etc/pki and /etc/ssl instead?

yes

[github-actions]

@Mergifyio backport 8.17 8.18 8.19 9.0

[mergify]

backport 8.17 8.18 8.19 9.0

✅ Backports have been created

• #16941 [8.17] (backport #16928) fix: add cacerts to ubi docker image has been created for branch 8.17 but encountered conflicts
• #16942 [8.18] (backport #16928) fix: add cacerts to ubi docker image has been created for branch 8.18 but encountered conflicts
• #16943 [8.19] (backport #16928) fix: add cacerts to ubi docker image has been created for branch 8.19 but encountered conflicts
• #16944 [9.0] (backport #16928) fix: add cacerts to ubi docker image has been created for branch 9.0

[v1v]

I'm afraid this is not working

2025-05-19 13:26:39 UTC | => ERROR [stage-2  6/15] COPY --from=builder-certs /etc/ssl /etc/ssl                                                                                      0.0s
-- | --
  | 2025-05-19 13:26:39 UTC | ------
  | 2025-05-19 13:26:39 UTC | > [stage-2  6/15] COPY --from=builder-certs /etc/ssl /etc/ssl:
  | 2025-05-19 13:26:39 UTC | ------
  | 2025-05-19 13:26:39 UTC |  
  | 2025-05-19 13:26:39 UTC | 1 warning found (use docker --debug to expand):
  | 2025-05-19 13:26:39 UTC | - InvalidDefaultArgInFrom: Default value for ARG golang:${GOLANG_VERSION} results in empty or invalid base image name (line 9)
  | 2025-05-19 13:26:39 UTC | Dockerfile:84
  | 2025-05-19 13:26:39 UTC | --------------------
  | 2025-05-19 13:26:39 UTC | 82 \|     COPY --chmod=0755 licenses/ELASTIC-LICENSE-2.0.txt NOTICE.txt /licenses/
  | 2025-05-19 13:26:39 UTC | 83 \|     COPY --from=builder-certs /etc/pki /etc/pki
  | 2025-05-19 13:26:39 UTC | 84 \| >>> COPY --from=builder-certs /etc/ssl /etc/ssl
  | 2025-05-19 13:26:39 UTC | 85 \|
  | 2025-05-19 13:26:39 UTC | 86 \|     # Copy files world-readable, and create the data directory world-writeable,
  | 2025-05-19 13:26:39 UTC | --------------------
  | 2025-05-19 13:26:39 UTC | ERROR: failed to solve: cannot copy to non-directory: /var/lib/docker/overlay2/jlt62v0gc5mg3du3nc1xnp4d1/merged/etc/ssl/certs
  | 2025-05-19 13:26:39 UTC | make: *** [packaging.mk:53: build/docker/apm-server-ubi-8.18.2-SNAPSHOT.txt] Error 1

For the future, if the DRA package needs to run, the current alternative is to create a feature branch with the name feature/<your-branch-name>, then the automation will run and validate that things work as expected.

We can figure out how to enable the DRA validation by default, if needed in a follow up