tink fails to install because cfssl is no longer in the alpine linux testing repository

[rgl]

Expected Behaviour

I should be able to install tink.

Current Behaviour

While tink is installing, it uses:

docker build --tag tinkerbell-certs /root/tink/deploy/tls

But that fails with the error:

Step 4/5 : RUN apk add --no-cache --update --upgrade --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl
 ---> Running in 7bfb4a37c1e8
fetch http://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
ERROR: unable to select packages:
  cfssl (no such package):
    required by: world[cfssl]
The command '/bin/sh -c apk add --no-cache --update --upgrade --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl' returned a non-zero code: 1

The cfssl is not longer in the alpine repository due to:

https://gitlab.alpinelinux.org/alpine/aports/-/commit/87380093c842e135ad4babaaca855f7abb2822cd
https://gitlab.alpinelinux.org/alpine/aports/-/commit/95690efbac51233c4255d0c33b706b70a9b02e1e
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/testing/cfssl/APKBUILD

It seems that cfssl no longer builds in alpine (maybe because they started using go 1.16.5; see the second commit from above), so they disabled it.

[rgl]

I've opened https://gitlab.alpinelinux.org/alpine/aports/-/issues/12750.

[rgl]

https://gitlab.alpinelinux.org/alpine/aports/-/issues/12750 is now closed and there's an updated cfssl (from 1.5 to 1.6) at https://pkgs.alpinelinux.org/packages?name=cfssl&branch=edge

we should stop depending on the alpine edge branch and either help move cfssl to a proper alpine release or replace cfssl with openssl.

[nshalman]

Thanks for the report! Do we need to discuss which branch of alpine we should switch to using?

[rgl]

At the time there was some discussion about this in the Tinkerbell slack. But I don't remember whether someone from Tinkerbell side was going to follow up on pushing cfssl to a future Alpine release (or whether that will happen "automatically" from testing to, say, v3.15).

I would prefer to use a stable branch, because that probably has a better chance of working the next time someone tries Tinkerbell.

[jacobweinstock]

I'm curious if anyone knows why we need cfssl at all here:

tink/cmd/tink-server/Dockerfile

Line 10 in b18b238

apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl

?

I personally don't know of any reason that is needed there. TLS certificates are generated via the docker-compose at the top level of the repo.

[mmlb]

I'm curious if anyone knows why we need cfssl at all here:

tink/cmd/tink-server/Dockerfile

Line 10 in b18b238

apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl

?

I personally don't know of any reason that is needed there. TLS certificates are generated via the docker-compose at the top level of the repo.

You are correct in that this hasn't been needed for a long time (see #584 (comment)). Its gone now though via #584.