mirror of
https://github.com/containers/podman.git
synced 2025-08-15 03:33:28 +08:00
ignition: add support from setting SSL_CERT_FILE
Podman often has to run behind an http/https proxy, often in corporate environments. This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store. Copy the file referred to by SSL_CERT_FILE on the host into the podman machine's OS trust store, overriding the built-in single-file trust store certificate. Also set the `SSL_FILE_CERT` on remote machine [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
This commit is contained in:
@ -383,47 +383,95 @@ machine_enabled=true
|
||||
return files
|
||||
}
|
||||
|
||||
certFiles := getCerts(filepath.Join(userHome, ".config/containers/certs.d"))
|
||||
certFiles := getCerts(filepath.Join(userHome, ".config/containers/certs.d"), true)
|
||||
files = append(files, certFiles...)
|
||||
|
||||
certFiles = getCerts(filepath.Join(userHome, ".config/docker/certs.d"))
|
||||
certFiles = getCerts(filepath.Join(userHome, ".config/docker/certs.d"), true)
|
||||
files = append(files, certFiles...)
|
||||
|
||||
if sslCertFile, ok := os.LookupEnv("SSL_CERT_FILE"); ok {
|
||||
if _, err := os.Stat(sslCertFile); err == nil {
|
||||
certFiles = getCerts(sslCertFile, false)
|
||||
files = append(files, certFiles...)
|
||||
|
||||
if len(certFiles) > 0 {
|
||||
setSSLCertFile := fmt.Sprintf("export %s=%s", "SSL_CERT_FILE", filepath.Join("/etc/containers/certs.d", filepath.Base(sslCertFile)))
|
||||
files = append(files, File{
|
||||
Node: Node{
|
||||
Group: getNodeGrp("root"),
|
||||
Path: "/etc/profile.d/ssl_cert_file.sh",
|
||||
User: getNodeUsr("root"),
|
||||
},
|
||||
FileEmbedded1: FileEmbedded1{
|
||||
Append: nil,
|
||||
Contents: Resource{
|
||||
Source: encodeDataURLPtr(setSSLCertFile),
|
||||
},
|
||||
Mode: intToPtr(0644),
|
||||
},
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return files
|
||||
}
|
||||
|
||||
func getCerts(certsDir string) []File {
|
||||
func getCerts(certsDir string, isDir bool) []File {
|
||||
var (
|
||||
files []File
|
||||
)
|
||||
|
||||
certs, err := ioutil.ReadDir(certsDir)
|
||||
if err == nil {
|
||||
for _, cert := range certs {
|
||||
b, err := ioutil.ReadFile(filepath.Join(certsDir, cert.Name()))
|
||||
if err != nil {
|
||||
logrus.Warnf("Unable to read cert file %s", err.Error())
|
||||
continue
|
||||
}
|
||||
files = append(files, File{
|
||||
Node: Node{
|
||||
Group: getNodeGrp("root"),
|
||||
Path: filepath.Join("/etc/containers/certs.d/", cert.Name()),
|
||||
User: getNodeUsr("root"),
|
||||
},
|
||||
FileEmbedded1: FileEmbedded1{
|
||||
Append: nil,
|
||||
Contents: Resource{
|
||||
Source: encodeDataURLPtr(string(b)),
|
||||
if isDir {
|
||||
if err == nil {
|
||||
for _, cert := range certs {
|
||||
b, err := ioutil.ReadFile(filepath.Join(certsDir, cert.Name()))
|
||||
if err != nil {
|
||||
logrus.Warnf("Unable to read cert file %s", err.Error())
|
||||
continue
|
||||
}
|
||||
files = append(files, File{
|
||||
Node: Node{
|
||||
Group: getNodeGrp("root"),
|
||||
Path: filepath.Join("/etc/containers/certs.d/", cert.Name()),
|
||||
User: getNodeUsr("root"),
|
||||
},
|
||||
Mode: intToPtr(0644),
|
||||
},
|
||||
})
|
||||
FileEmbedded1: FileEmbedded1{
|
||||
Append: nil,
|
||||
Contents: Resource{
|
||||
Source: encodeDataURLPtr(string(b)),
|
||||
},
|
||||
Mode: intToPtr(0644),
|
||||
},
|
||||
})
|
||||
}
|
||||
} else {
|
||||
if !os.IsNotExist(err) {
|
||||
logrus.Warnf("Unable to copy certs via ignition, error while reading certs from %s: %s", certsDir, err.Error())
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if !os.IsNotExist(err) {
|
||||
logrus.Warnf("Unable to copy certs via ignition, error while reading certs from %s: %s", certsDir, err.Error())
|
||||
fileName := filepath.Base(certsDir)
|
||||
b, err := ioutil.ReadFile(certsDir)
|
||||
if err != nil {
|
||||
logrus.Warnf("Unable to read cert file %s", err.Error())
|
||||
return files
|
||||
}
|
||||
files = append(files, File{
|
||||
Node: Node{
|
||||
Group: getNodeGrp("root"),
|
||||
Path: filepath.Join("/etc/containers/certs.d/", fileName),
|
||||
User: getNodeUsr("root"),
|
||||
},
|
||||
FileEmbedded1: FileEmbedded1{
|
||||
Append: nil,
|
||||
Contents: Resource{
|
||||
Source: encodeDataURLPtr(string(b)),
|
||||
},
|
||||
Mode: intToPtr(0644),
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
return files
|
||||
|
Reference in New Issue
Block a user