Resolving missing ca-certificates dependency that causes client ssl v…

…erify to fail

Without this package, '/etc/ssl/certs' is either empty or incomplete, and
so does the @system-ca variable within haproxy.

This results in some haproxy client ssl features not working out of the
box. For instance, using httpclient with https endpoints will not work
with default config since ssl verify is on by default.

See PR #216.

Co-authored-by: Tianon Gravi <[email protected]>

Dockerfile.template

@@ -1,6 +1,13 @@
 {{ if env.variant == "alpine" then ( -}}
 FROM alpine:{{ .alpine }}
 
+# runtime dependencies
+RUN set -eux; \
+	apk add --no-cache \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+		ca-certificates \
+	;
+
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
@@ -18,6 +25,15 @@ RUN set -eux; \
 {{ ) else ( -}}
 FROM debian:{{ .debian }}
 
+# runtime dependencies
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+		ca-certificates \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
@@ -72,7 +88,6 @@ RUN set -eux; \
 {{ ) else ( -}}
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update && apt-get install -y --no-install-recommends \
-		ca-certificates \
 		gcc \
 		libc6-dev \
 		liblua{{ lua }}-dev \