diff options
author | Aditya Rajan <arajan@redhat.com> | 2022-01-05 17:44:46 +0530 |
---|---|---|
committer | Aditya Rajan <arajan@redhat.com> | 2022-01-11 00:46:06 +0530 |
commit | a8b02cf4bff10c252e6c7864c6b2c72c11ce2a18 (patch) | |
tree | 0078fdabb7a1ef56524b3936df6ffa4fe83ce911 /pkg | |
parent | 5c363ff276b7f97cff5ce946e313d98ae9bb2f60 (diff) | |
download | podman-a8b02cf4bff10c252e6c7864c6b2c72c11ce2a18.tar.gz podman-a8b02cf4bff10c252e6c7864c6b2c72c11ce2a18.tar.bz2 podman-a8b02cf4bff10c252e6c7864c6b2c72c11ce2a18.zip |
ignition: add support from setting SSL_CERT_FILE
Podman often has to run behind an http/https proxy, often in corporate environments.
This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store.
Copy the file referred to by SSL_CERT_FILE on the host into the podman machine's OS trust store, overriding the built-in single-file trust store certificate.
Also set the `SSL_FILE_CERT` on remote machine
[NO NEW TESTS NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/machine/ignition.go | 98 |
1 files changed, 73 insertions, 25 deletions
diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index 7293bc236..de2026a1a 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -383,47 +383,95 @@ machine_enabled=true return files } - certFiles := getCerts(filepath.Join(userHome, ".config/containers/certs.d")) + certFiles := getCerts(filepath.Join(userHome, ".config/containers/certs.d"), true) files = append(files, certFiles...) - certFiles = getCerts(filepath.Join(userHome, ".config/docker/certs.d")) + certFiles = getCerts(filepath.Join(userHome, ".config/docker/certs.d"), true) files = append(files, certFiles...) + if sslCertFile, ok := os.LookupEnv("SSL_CERT_FILE"); ok { + if _, err := os.Stat(sslCertFile); err == nil { + certFiles = getCerts(sslCertFile, false) + files = append(files, certFiles...) + + if len(certFiles) > 0 { + setSSLCertFile := fmt.Sprintf("export %s=%s", "SSL_CERT_FILE", filepath.Join("/etc/containers/certs.d", filepath.Base(sslCertFile))) + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/profile.d/ssl_cert_file.sh", + User: getNodeUsr("root"), + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: encodeDataURLPtr(setSSLCertFile), + }, + Mode: intToPtr(0644), + }, + }) + } + } + } + return files } -func getCerts(certsDir string) []File { +func getCerts(certsDir string, isDir bool) []File { var ( files []File ) certs, err := ioutil.ReadDir(certsDir) - if err == nil { - for _, cert := range certs { - b, err := ioutil.ReadFile(filepath.Join(certsDir, cert.Name())) - if err != nil { - logrus.Warnf("Unable to read cert file %s", err.Error()) - continue - } - files = append(files, File{ - Node: Node{ - Group: getNodeGrp("root"), - Path: filepath.Join("/etc/containers/certs.d/", cert.Name()), - User: getNodeUsr("root"), - }, - FileEmbedded1: FileEmbedded1{ - Append: nil, - Contents: Resource{ - Source: encodeDataURLPtr(string(b)), + if isDir { + if err == nil { + for _, cert := range certs { + b, err := ioutil.ReadFile(filepath.Join(certsDir, cert.Name())) + if err != nil { + logrus.Warnf("Unable to read cert file %s", err.Error()) + continue + } + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: filepath.Join("/etc/containers/certs.d/", cert.Name()), + User: getNodeUsr("root"), }, - Mode: intToPtr(0644), - }, - }) + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: encodeDataURLPtr(string(b)), + }, + Mode: intToPtr(0644), + }, + }) + } + } else { + if !os.IsNotExist(err) { + logrus.Warnf("Unable to copy certs via ignition, error while reading certs from %s: %s", certsDir, err.Error()) + } } } else { - if !os.IsNotExist(err) { - logrus.Warnf("Unable to copy certs via ignition, error while reading certs from %s: %s", certsDir, err.Error()) + fileName := filepath.Base(certsDir) + b, err := ioutil.ReadFile(certsDir) + if err != nil { + logrus.Warnf("Unable to read cert file %s", err.Error()) + return files } + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: filepath.Join("/etc/containers/certs.d/", fileName), + User: getNodeUsr("root"), + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: encodeDataURLPtr(string(b)), + }, + Mode: intToPtr(0644), + }, + }) } return files |