From 3e68f4173443dd502a775e4d2e9e5d0e8c6ef639 Mon Sep 17 00:00:00 2001
From: Greg Porterfield <gsporterfield@articulate.com>
Date: Wed, 31 Dec 2025 15:34:34 -0700
Subject: [PATCH] feat(tls): Add AWS RDS CA certificates to node images

---
 20/base/Dockerfile | 13 ++++++++++++-
 22/base/Dockerfile | 13 ++++++++++++-
 24/base/Dockerfile | 13 ++++++++++++-
 README.md          |  2 ++
 4 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/20/base/Dockerfile b/20/base/Dockerfile
index a067299..40fb72c 100644
--- a/20/base/Dockerfile
+++ b/20/base/Dockerfile
@@ -9,7 +9,7 @@ ARG TARGETARCH
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh
 
-RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \
+RUN install_packages make dumb-init ca-certificates && /tmp/awscli.sh && rm /tmp/awscli.sh \
     # Create our own user and remove the node user
     && groupadd --gid $SERVICE_UID $SERVICE_USER \
     && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \
@@ -19,6 +19,17 @@ ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/d
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets
 ADD --chmod=755 https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh /wait-for-it.sh
 
+# Add AWS RDS CA trusted root certificates for node
+ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+
+# Split PEM bundle into individual cert files for update-ca-certificates
+RUN csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \
+      /usr/local/share/ca-certificates/aws-rds-global-bundle.pem  \
+      '/-----BEGIN CERTIFICATE-----/' '{*}' \
+  && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \
+  && update-ca-certificates
+
 USER $SERVICE_USER
 WORKDIR $SERVICE_ROOT
 
diff --git a/22/base/Dockerfile b/22/base/Dockerfile
index 4036765..bc5e556 100644
--- a/22/base/Dockerfile
+++ b/22/base/Dockerfile
@@ -9,7 +9,7 @@ ARG TARGETARCH
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh
 
-RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \
+RUN install_packages make dumb-init ca-certificates && /tmp/awscli.sh && rm /tmp/awscli.sh \
     # Create our own user and remove the node user
     && groupadd --gid $SERVICE_UID $SERVICE_USER \
     && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \
@@ -22,6 +22,17 @@ ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/d
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets
 ADD --chmod=755 https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh /wait-for-it.sh
 
+# Add AWS RDS CA trusted root certificates for node
+ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+
+# Split PEM bundle into individual cert files for update-ca-certificates
+RUN csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \
+      /usr/local/share/ca-certificates/aws-rds-global-bundle.pem  \
+      '/-----BEGIN CERTIFICATE-----/' '{*}' \
+  && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \
+  && update-ca-certificates
+
 USER $SERVICE_USER
 WORKDIR $SERVICE_ROOT
 
diff --git a/24/base/Dockerfile b/24/base/Dockerfile
index 52228de..2e176cd 100644
--- a/24/base/Dockerfile
+++ b/24/base/Dockerfile
@@ -9,7 +9,7 @@ ARG TARGETARCH
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/install_packages /usr/local/bin/install_packages
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/awscli.sh /tmp/awscli.sh
 
-RUN install_packages make dumb-init && /tmp/awscli.sh && rm /tmp/awscli.sh \
+RUN install_packages make dumb-init ca-certificates && /tmp/awscli.sh && rm /tmp/awscli.sh \
     # Create our own user and remove the node user
     && groupadd --gid $SERVICE_UID $SERVICE_USER \
     && useradd --create-home --shell /bin/bash --gid $SERVICE_UID --uid $SERVICE_UID $SERVICE_USER \
@@ -22,6 +22,17 @@ ADD --chmod=755 https://github.com/articulate/docker-bootstrap/releases/latest/d
 ADD --chmod=755 https://raw.githubusercontent.com/articulate/docker-bootstrap/main/scripts/docker-secrets /usr/local/bin/secrets
 ADD --chmod=755 https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh /wait-for-it.sh
 
+# Add AWS RDS CA trusted root certificates for node
+ADD --chmod=644 https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/aws-rds-global-bundle.pem
+
+# Split PEM bundle into individual cert files for update-ca-certificates
+RUN csplit -s -z -n 3 -f /usr/local/share/ca-certificates/aws-rds-ca- \
+      /usr/local/share/ca-certificates/aws-rds-global-bundle.pem  \
+      '/-----BEGIN CERTIFICATE-----/' '{*}' \
+  && for f in /usr/local/share/ca-certificates/aws-rds-ca-*; do mv "$f" "$f.crt"; done \
+  && update-ca-certificates
+
 USER $SERVICE_USER
 WORKDIR $SERVICE_ROOT
 
diff --git a/README.md b/README.md
index 8fe7fb8..16f8712 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,8 @@ Base Node.js Docker images.
   to install apt packages.
 * [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
   for interacting with AWS services.
+* [AWS RDS CA Certificates](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
+  to enable trusted TLS connections with AWS RDS instances _(in any region)_.
 
 ## Tags