stx-debian: install SSL certs early

The base image needs apt install packages from HTTPS repos, including
the ca-certificates package & its dependencies (openssl etc). This
creates a chicken and egg problem: we need to install ca-certificates
over HTTPS (from https://mirror.starlingx.windriver.com/mirror/), yet we
can't access it because there are no SSL certs installed yet.

Workaround: use a multi-stage build, 1st stage installs latest ca-certs
from upstream debian, then copies the cert bundle into the main stage.
The main stage then installs ca-certs & its dependencies from the
managed repos.

TESTS
==============================
* Set mirror URLs to mirror.starlingx.windriver.com and build the base
  image
* Build 2 other images that inherit from stx-base: stx-aodh and
  stx-nova-api-proxy

Story: 2011159
Task: 50404

Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Id5540673c52e34fe8c59d1e05fdd988ee27c17d8

build-tools/build-docker-images/build-stx-base.sh

@@ -415,6 +415,8 @@ declare -a BUILD_ARGS
 BUILD_ARGS+=(--build-arg RELEASE=${OS_VERSION})
 if [[ "$OS" == "centos" ]] ; then
     BUILD_ARGS+=(--build-arg "REPO_OPTS=${REPO_OPTS}")
+else
+    BUILD_ARGS+=(--build-arg "DIST=${DEBIAN_DISTRIBUTION}")
 fi
 
 # Add proxy to docker build

build-tools/build-docker-images/stx-debian/Dockerfile.stable

@@ -1,7 +1,31 @@
+# These are overridden by build-stx-debian.sh
+ARG DIST=bullseye
+ARG RELEASE=11.2
+
+################################################
+# ca_certs build stage
+################################################
+
+# We need up-to-date SSL certs, otherwise we won't be able to access
+# mirror.starlingx.windriver.com; yet the ca-certificates package is
+# behind that URL. As a workaround: install ca-certificates from
+# upstream debian, then copy the (generated) CA bundle into the.
+# main build stage.
+
+FROM debian:${DIST} as ca_certs
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y && \
+    apt-get -y install --no-install-recommends ca-certificates
+
+################################################
+# main build stage
+################################################
+
 # Start with an the old-ish bullseye release (11.2), then upgrade --
 # to make sure packages that come pre-installed in the debian:XXX image
 # are older than anything in StarlingX.
-ARG RELEASE=11.2
 FROM debian:${RELEASE}
 
 ENV DEBIAN_FRONTEND=noninteractive
@@ -52,6 +76,18 @@ RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
 #        loci/docker/stx-scripts/
 #
 
+#
+# Copy CA certs from the "ca_certs" build stage. The bundle file was generated
+# by ca-certificates in that stage, and will be re-generated when we install
+# that package again in the main stage below. That version may be *older* than
+# the certs that we are copying here. We assume ca-certificates is regularly
+# updated in stx-tools' package download lists, or it is built by us, and contains
+# all the certs we might need during docker images build, such as the intermidate
+# cert used by mirror.starlingx.windriver.com .
+#
+RUN mkdir -p /etc/ssl/certs
+COPY --from=ca_certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
 #
 # Upgrade base packages to versions in managed repos
 #