fix: add Google CA to certificate store in fluent-bit Windows image

[fancybear-dev]

Windows only ships the Microsoft CA into the base image that is used by fluent-bit to create the Windows Container image.

This means, that all requests to Google signed SSL endpoints - fail.

This PR, adds the Google CA.

Summary by CodeRabbit

• Chores
  • Windows container images now support communication with Google Cloud services
  • Minor configuration formatting updates

[coderabbitai]

Walkthrough

The Windows Dockerfile now installs the Google Root CA certificate in both builder and runtime stages via PowerShell, enabling communication with Google Cloud services. Minor formatting adjustments were applied to multi-line shell commands without behavioral changes.

Changes

Cohort / File(s)	Summary
Windows Dockerfile Certificate Installation dockerfiles/Dockerfile.windows	Added PowerShell blocks to download, import, and clean up Google Root CA certificate in LocalMachine/Root store for both builder and runtime stages; applied formatting normalization to multi-line commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through Docker dreams,
Where Windows paths and certificates gleam,
Google's roots now planted deep,
Cloud connections safe to keep,
Whitespace whiskers all in place! 🌟

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "fix: add Google CA to certificate store in fluent-bit Windows image" directly and accurately describes the primary change in the changeset. The title specifically identifies what is being added (Google Root CA certificate), where it's being added (certificate store), and which image is affected (fluent-bit Windows image), which aligns with the main objective stated in the PR description. The title is concise at 67 characters, uses clear and descriptive language without vague terms or unnecessary noise, and provides sufficient clarity for a teammate to understand the purpose of the change when scanning commit history.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6345fd1 and d998806.

📒 Files selected for processing (1)

• dockerfiles/Dockerfile.windows (4 hunks)

🔇 Additional comments (1)

dockerfiles/Dockerfile.windows (1)

231-239: Google CA installation approach is sound, but request verification of container compatibility and cert validity.

The implementation correctly addresses the PR objective by importing the Google Root CA to the system-wide certificate store in the runtime stage, enabling SSL communication with Google Cloud services. Certificate placement in LocalMachine\Root is appropriate.

A few verification points:

1. Certificate validity: Confirm that pki.goog/r1.crt is the documented/current Google Root CA (v1). If you have a specific version in mind, consider pinning the URL or providing a checksum.

2. Container environment compatibility: Verify that the Import-Certificate cmdlet and write permissions to Cert:\LocalMachine\Root\ work correctly in the Windows Server Core container runtime context. If this has been tested in CI, consider noting that in the commit message.

3. Builder-base consideration: The builder-base stage currently doesn't include this certificate. While the current build process doesn't appear to require Google CA access, adding it to builder-base might improve consistency and future-proof the image if build-time Google service calls are introduced later. You may defer this to a follow-up.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[niedbalski]

I don't think we should be fetching random certificates from internet. Why is this not bundled in the default windows cert store?