Move certbot installation to requirements.txt

JonasAlfredsson · JonasAlfredsson · commit 40ff6cdcf444 · 2024-02-18T10:23:13.000+01:00
We have not really tracked which version of certbot that is installed
in the container, but I think we should. Adding it to the
requirements.txt file helps us get notified by dependabot when a new
version is available, and we can then trigger a rebuild to always keep
us up to date.

I also think we should try to bump at least our own patch version when
certbot moves. That way we allow users to also not have it change from
under their feet.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,12 @@ updates:
       interval: "daily"
       time: "04:00"
     open-pull-requests-limit: 10
+# Maintain dependencies for pip packages.
+  - package-ecosystem: "pip"
+    directory: "/src"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
 # Maintain dependencies for GitHub Actions.
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/src/Dockerfile b/src/Dockerfile
@@ -24,6 +24,10 @@ ENV CERTBOT_DNS_AUTHENTICATORS \
 # any real need to cater to other programs/environments.
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 
+# Through this we gain the ability to handle certbot upgrades through
+# dependabot pull requests.
+COPY requirements.txt /requirements.txt
+
 # Do a single run command to make the intermediary containers smaller.
 RUN set -ex && \
 # Install packages necessary during the build phase (for all architectures).
@@ -44,10 +48,9 @@ RUN set -ex && \
 # Install the latest version of PIP, Setuptools and Wheel.
     curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 && \
 # Install certbot.
-    pip3 install -U cffi certbot \
-# And the supported extra authenticators
-        $(echo $CERTBOT_DNS_AUTHENTICATORS | sed 's/\(^\| \)/\1certbot-dns-/g') \
-    && \
+    pip3 install -r /requirements.txt && \
+# And the supported extra authenticators.
+    pip3 install $(echo $CERTBOT_DNS_AUTHENTICATORS | sed 's/\(^\| \)/\1certbot-dns-/g') && \
 # Remove everything that is no longer necessary.
     apt-get remove --purge -y \
             build-essential \
diff --git a/src/Dockerfile-alpine b/src/Dockerfile-alpine
@@ -19,6 +19,10 @@ ENV CERTBOT_DNS_AUTHENTICATORS \
     ionos \
     bunny
 
+# Through this we gain the ability to handle certbot upgrades through
+# dependabot pull requests.
+COPY requirements.txt /requirements.txt
+
 # Do a single run command to make the intermediary containers smaller.
 RUN set -ex && \
 # Install packages necessary during the build phase (for all architectures).
@@ -40,10 +44,9 @@ RUN set -ex && \
 # Install the latest version of PIP, Setuptools and Wheel.
     curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 && \
 # Install certbot.
-    pip3 install -U cffi certbot \
-# And the supported extra authenticators
-        $(echo $CERTBOT_DNS_AUTHENTICATORS | sed 's/\(^\| \)/\1certbot-dns-/g') \
-    && \
+    pip3 install -r /requirements.txt && \
+# And the supported extra authenticators.
+    pip3 install $(echo $CERTBOT_DNS_AUTHENTICATORS | sed 's/\(^\| \)/\1certbot-dns-/g') && \
 # Remove everything that is no longer necessary.
     apk del \
         cargo \
diff --git a/src/requirements.txt b/src/requirements.txt
@@ -0,0 +1 @@
+certbot==2.9.0
