certs: link host certs if present

bottlerocket-os · Dec 23, 2024 · c6d6645 · c6d6645
1 parent 0673565
commit c6d6645
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/start_admin.sh b/start_admin.sh
@@ -9,6 +9,7 @@ log() {
 declare -r PERSISTENT_STORAGE_BASE_DIR="/.bottlerocket/host-containers/current"
 declare -r SSH_HOST_KEY_DIR="${PERSISTENT_STORAGE_BASE_DIR}/etc/ssh"
 declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data"
+declare -r HOST_CERTS="/.bottlerocket/certs"
 
 if [ ! -s "${USER_DATA}" ]; then
   log "Admin host-container user-data is empty, going to sleep forever"
@@ -35,6 +36,15 @@ declare -r SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/sshd_config"
 # one of the methods below is available.
 declare -i available_ssh_methods=0
 
+# Link host certs if present into container & run update-ca-trust
+if [ -e "${HOST_CERTS}" ]; then
+  for cert in $(ls -1 "${HOST_CERTS}"); do
+    ln -s "${HOST_CERTS}/${cert}" "/etc/pki/ca-trust/source/anchors/${cert}"
+  done
+  # Update the CA trust to pickup the new certificates
+  update-ca-trust
+fi
+
 get_user_data_keys() {
     # Extract the keys from user-data json
     local raw_keys