nuageinit: implement ca_certs support

Add support for the 'ca_certs' cloud-config key which manages
CA certificates by writing them to /etc/ssl/certs/ and running
certctl rehash.
This commit is contained in:
Baptiste Daroussin
2026-06-05 22:27:07 +02:00
parent 6d27d52ccd
commit b56f029add
3 changed files with 67 additions and 0 deletions
+20
View File
@@ -568,6 +568,25 @@ local function ntp(obj)
f:close()
end
local function ca_certs(obj)
if obj.ca_certs == nil then return end
local trusted = obj.ca_certs.trusted
if trusted == nil or #trusted == 0 then return end
local certdir = root .. "/etc/ssl/certs"
nuage.mkdir_p(certdir)
for i, cert in ipairs(trusted) do
local certpath = certdir .. "/nuageinit-" .. i .. ".pem"
local f = io.open(certpath, "w")
if f then
f:write(cert .. "\n")
f:close()
else
warnmsg("unable to write " .. certpath)
end
end
os.execute("certctl rehash 2>/dev/null")
end
local function ssh_deletekeys(obj)
if obj.ssh_deletekeys == nil then return end
if obj.ssh_deletekeys then
@@ -947,6 +966,7 @@ if line == nil then
-- YAML user-data
elseif line == "#cloud-config" then
local pre_network_calls = {
ca_certs,
mounts,
bootcmd,
sethostname,
+17
View File
@@ -258,6 +258,23 @@ to skip NTP configuration.
Alternatively,
.Ic ntp
can be a list of server addresses (legacy format).
.It Ic ca_certs
An object managing CA certificates.
.Pp
The following keys are recognized:
.Bl -tag -width "remove_defaults"
.It trusted
A list of PEM-encoded CA certificates to add to the system trust store.
Certificates are written to
.Pa /etc/ssl/certs/
and
.Xr certctl 8
rehash is executed.
.It remove_defaults
Boolean, if
.Ar true ,
remove the default CA certificates.
.El
.It Ic timezone
Sets the system timezone based on the value provided.
.Pp
+30
View File
@@ -39,6 +39,7 @@ atf_test_case config2_userdata_resolv_conf
atf_test_case config2_userdata_keyboard
atf_test_case config2_userdata_ssh_authkey_fingerprints
atf_test_case config2_userdata_ntp
atf_test_case config2_userdata_ca_certs
atf_test_case config2_userdata_fqdn_and_hostname
atf_test_case config2_userdata_write_files
@@ -1245,6 +1246,34 @@ EOF
true
}
config2_userdata_ca_certs_head()
{
atf_set "require.user" root
}
config2_userdata_ca_certs_body()
{
mkdir -p media/nuageinit
setup_test_adduser
printf "{}" > media/nuageinit/meta_data.json
cat > media/nuageinit/user_data <<'EOF'
#cloud-config
ca_certs:
trusted:
- |
-----BEGIN CERTIFICATE-----
dGVzdGNlcnQx
-----END CERTIFICATE-----
- |
-----BEGIN CERTIFICATE-----
dGVzdGNlcnQy
-----END CERTIFICATE-----
EOF
atf_check -o empty /usr/libexec/nuageinit "${PWD}"/media/nuageinit config-2
atf_check -o match:"dGVzdGNlcnQx" cat etc/ssl/certs/nuageinit-1.pem
atf_check -o match:"dGVzdGNlcnQy" cat etc/ssl/certs/nuageinit-2.pem
true
}
config2_userdata_fqdn_and_hostname_body()
{
mkdir -p media/nuageinit
@@ -1299,6 +1328,7 @@ atf_init_test_cases()
atf_add_test_case config2_userdata_keyboard
atf_add_test_case config2_userdata_ssh_authkey_fingerprints
atf_add_test_case config2_userdata_ntp
atf_add_test_case config2_userdata_ca_certs
atf_add_test_case config2_userdata_fqdn_and_hostname
atf_add_test_case config2_userdata_write_files
}