Add built-in root certificate fallbacks (#3440)

* Add built-in root certificate fallbacks

Blank-importing golang.org/x/crypto/x509roots/fallback bundles a set of
root fallback certificates from Mozilla into the resulting binary. This
allows the program to run in environments where the system root
certificates are not available, for example, inside a minimal container.
These are _fallbacks_, meaning that if the system _does have_ a set of
root certificates, those will be given priority. The binary size will
increase a little (~ 220 kB).

It should be added to main.go instead of somewhere else because the
recommendation is for the package to be imported from binaries, not from
libraries. Calling x509.SetFallbackRoots (what the imported package does
in its init function) more than once will cause the program to panic. In
principle, the Go import system will prevent the package from being
imported twice, so that shouldn't be a problem. That said, xk6 has
opinions, and it doesn't want to have an import in main.go, so it's
added to the only package imported from main, "cmd".

---------

Signed-off-by: Marcelo E. Magallon <[email protected]>
Co-authored-by: Oleg Bespalov <[email protected]>

Dockerfile

@@ -8,9 +8,7 @@ RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -trimpath -o /usr/b
 # Runtime stage
 FROM alpine:3.18 as release
 
-# hadolint ignore=DL3018
-RUN apk add --no-cache ca-certificates && \
-    adduser -D -u 12345 -g 12345 k6
+RUN adduser -D -u 12345 -g 12345 k6
 COPY --from=builder /usr/bin/k6 /usr/bin/k6
 
 USER k6

cmd/common.go

@@ -14,6 +14,14 @@ import (
 	"go.k6.io/k6/cmd/state"
 	"go.k6.io/k6/errext/exitcodes"
 	"go.k6.io/k6/lib/types"
+
+	// Blank-importing golang.org/x/crypto/x509roots/fallback bundles a set of
+	// root fallback certificates from Mozilla into the resulting binary. This
+	// allows the program to run in environments where the system root
+	// certificates are not available, for example inside a minimal container.
+	// These are _fallbacks_, meaning that if the system _does have_ a set of
+	// root certificates, those will be given priority.
+	_ "golang.org/x/crypto/x509roots/fallback"
 )
 
 // Panic if the given error is not nil.

go.mod

@@ -46,6 +46,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.19.0
 	go.uber.org/goleak v1.2.1
 	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1
 	golang.org/x/net v0.17.0
 	golang.org/x/term v0.13.0
 	golang.org/x/time v0.3.0

go.sum

@@ -230,6 +230,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1 h1:wQ75dCmVn5ExryuIUzbi2MC1/10fUNIL1FP918r4jx8=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=

vendor/modules.txt

@@ -378,6 +378,9 @@ go.uber.org/goleak/internal/stack
 golang.org/x/crypto/md4
 golang.org/x/crypto/ocsp
 golang.org/x/crypto/ripemd160
+# golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1
+## explicit; go 1.20
+golang.org/x/crypto/x509roots/fallback
 # golang.org/x/net v0.17.0
 ## explicit; go 1.17
 golang.org/x/net/html