From 2e1ceee22ce6f69db14bbac6bcdd6d9707f62f1c Mon Sep 17 00:00:00 2001 From: Sumukh Ballal Date: Tue, 31 Dec 2024 20:25:51 +0000 Subject: [PATCH] certs: link host certs if present In certain cases, if host certificates are present at the path '/.bottlerocket/certs', we would link them to the ca-trust and update-ca-trust process to pickup the new certificates. --- start_control_ssm.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/start_control_ssm.sh b/start_control_ssm.sh index db4dd88..906ddd8 100644 --- a/start_control_ssm.sh +++ b/start_control_ssm.sh @@ -6,11 +6,21 @@ declare -r PERSISTENT_STORAGE_BASE_DIR="/.bottlerocket/host-containers/current" declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data" declare -r SSM_AGENT_PERSISTENT_STATE_DIR="${PERSISTENT_STORAGE_BASE_DIR}/ssm" declare -r SSM_AGENT_LOCAL_STATE_DIR="/var/lib/amazon/ssm" +declare -r HOST_CERTS="/.bottlerocket/certs" log() { echo "$*" >&2 } +# Link host certs if present into container & run update-ca-trust +link_host_certs() { + for cert in $(ls -1 "${HOST_CERTS}"); do + ln -s "${HOST_CERTS}/${cert}" "/etc/pki/ca-trust/source/anchors/${cert}" + done + # Update the CA trust to pickup the new certificates + update-ca-trust +} + enable_hybrid_env_ssm() { # SSM parameters necessary to register with a hybrid activation local activation_code @@ -55,6 +65,8 @@ fetch_from_json() { # then check to see if the user-data file contains ssm at the top-level. If so, # attempt to manually register with SSM with a hybrid activation. +[[ -d "${HOST_CERTS}" ]] && link_host_certs + mkdir -p "${SSM_AGENT_PERSISTENT_STATE_DIR}" chmod 750 "${SSM_AGENT_PERSISTENT_STATE_DIR}"