From 8774a04f6bb88be8ab1d8c546e7a57b7b2abac39 Mon Sep 17 00:00:00 2001
From: Anton Patsev <patsev.anton@gmail.com>
Date: Fri, 29 May 2026 08:53:46 +0600
Subject: [PATCH] fix: include CA certificates in scratch Docker image

The final Docker image is built FROM scratch and does not contain
system CA certificates. This causes TLS connections to Kafka brokers
using public CA-signed certificates (e.g. AWS MSK with Amazon Trust
Services) to fail with 'x509: certificate signed by unknown authority'.

Copy ca-certificates.crt from the builder stage so that Go's
crypto/tls can verify server certificates out of the box.

Ref: https://github.com/sentry-kubernetes/charts/issues/2213
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 2f56ae81..96db93a2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,6 +13,7 @@ RUN cd /go/src/${SRC} && \
 
 FROM scratch
 
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder \
     /go/src/github.com/segmentio/topicctl/build/topicctl \
     /bin/topicctl