Add /etc/pki directory to appnet agent's bind mounts

This is the path to the host's PKI directory. The appnet agent container needs this directory mounted so that it can access the host's PKI directory for the purpose of utilizing any special CA certs that the underlying EC2 instance has configured.
aws · Dec 4, 2024 · 158bb5f · 158bb5f
1 parent 0743b42
commit 158bb5f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/agent/engine/serviceconnect/manager_linux.go b/agent/engine/serviceconnect/manager_linux.go
@@ -84,6 +84,12 @@ const (
 
 	ecsAgentLogFileENV              = "ECS_LOGFILE"
 	defaultECSAgentLogPathContainer = "/log"
+
+	// This is the path to the host's PKI directory. The appnet agent container needs
+	// this directory mounted so that it can access the host's PKI directory for the
+	// purpose of utilizing any special CA certs that the underlying EC2 instance has
+	// configured.
+	hostPKIDirPath = "/etc/pki"
 )
 
 type manager struct {
@@ -207,6 +213,7 @@ func (m *manager) initAgentDirectoryMounts(taskId string, container *apicontaine
 
 	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(statusPathHost, m.statusPathContainer))
 	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(m.relayPathHost, m.relayPathContainer))
+	hostConfig.Binds = append(hostConfig.Binds, getBindMountMapping(hostPKIDirPath, hostPKIDirPath))
 
 	// create logging directory and bind mount, if customer has not configured a logging driver
 	if container.GetLogDriver() == "" {

diff --git a/agent/engine/serviceconnect/manager_linux_test_common.go b/agent/engine/serviceconnect/manager_linux_test_common.go
@@ -129,6 +129,7 @@ func testAgentContainerModificationsForServiceConnect(t *testing.T, privilegedMo
 		fmt.Sprintf("%s/status/%s:%s", tempDir, scTask.GetID(), "/some/other/run"),
 		fmt.Sprintf("%s/relay:%s", tempDir, "/not/var/run"),
 		fmt.Sprintf("%s/log/%s:%s", tempDir, scTask.GetID(), "/some/other/log"),
+		"/etc/pki:/etc/pki",
 	}
 	expectedENVs := map[string]string{
 		"ReLaYgOeShErE":                 "unix:///not/var/run/relay_file_of_holiness",
@@ -190,7 +191,7 @@ func testAgentContainerModificationsForServiceConnect(t *testing.T, privilegedMo
 			if err != nil {
 				t.Fatal(err)
 			}
-			assert.Equal(t, tc.expectedBinds, hostConfig.Binds)
+			assert.ElementsMatch(t, tc.expectedBinds, hostConfig.Binds)
 			assert.Equal(t, tc.expectedENV, tc.container.Environment)
 			if privilegedMode {
 				for _, bind := range hostConfig.Binds {