Skip to content

fix: resolve CA cert symlinks for Kubernetes Secret mounts#12851

Open
shykes wants to merge 1 commit intomainfrom
fix/cacerts-k8s-symlinks
Open

fix: resolve CA cert symlinks for Kubernetes Secret mounts#12851
shykes wants to merge 1 commit intomainfrom
fix/cacerts-k8s-symlinks

Conversation

@shykes
Copy link
Copy Markdown
Contributor

@shykes shykes commented Mar 27, 2026
edited
Loading

Summary

  • When CA certs are mounted from a K8s Secret (without subPath), files are symlinked through a ..data/ subdirectory. These symlinks break inside containers where ..data/ doesn't exist.
  • ReadHostCustomCADir now resolves symlinks to their target file contents instead of preserving them, so certs work regardless of mount structure.

Fixes #12739

Repro

Confirm the test fails against unfixed main:

dagger shell <<'REPRO'
container |
  from golang:1.25 |
  with-directory /src $(git https://github.com/dagger/dagger | commit ae2491bff148ad49a0eb40918c9d44389120da01 | tree) |
  with-file /src/engine/buildkit/containerfs/fs_test.go $(git https://github.com/dagger/dagger | branch fix/cacerts-k8s-symlinks | tree | file engine/buildkit/containerfs/fs_test.go) |
  with-workdir /src |
  with-exec -- go test ./engine/buildkit/containerfs/ -run TestReadHostCustomCADirK8sSymlinks -v |
  stdout
REPRO

Test plan

  • Unit tests for ReadHostCustomCADir with K8s-style symlink structure
  • Test fails against unfixed main, passes with fix
  • Manual verification with K8s Secret-mounted CA certs

@shykes shykes mentioned this pull request Mar 27, 2026
Open
@shykes
fix: resolve CA cert symlinks for Kubernetes Secret mounts
d53c3bd 
When CA certificates are mounted from a Kubernetes Secret without
subPath, the files are symlinked through a ..data/ subdirectory.
ReadHostCustomCADir previously preserved these symlinks, but they
break inside containers where the ..data/ directory doesn't exist.

Now symlinks are resolved to their target file contents, so certs
are installed as regular files regardless of the mount structure.

Fixes #11069

Signed-off-by: Solomon Hykes <solomon@dagger.io>
@shykes shykes force-pushed the fix/cacerts-k8s-symlinks branch from 5d22fcb to d53c3bd Compare March 27, 2026 05:10
@grouville grouville self-requested a review April 6, 2026 16:48
@grouville grouville added this to the v0.20.7 milestone Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kpenfound kpenfound Awaiting requested review from kpenfound

@matipan matipan Awaiting requested review from matipan

@marcosnils marcosnils Awaiting requested review from marcosnils

@grouville grouville Awaiting requested review from grouville

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.20.7

Development

Successfully merging this pull request may close these issues.

2 participants

@shykes @grouville