certs: link host certs if present

In certain cases, if host certificates are present at the path '/.bottlerocket/certs', we would link them to the ca-trust and update-ca-trust process to pickup the new certificates.
bottlerocket-os · Feb 1, 2025 · 033f9fa · 033f9fa
1 parent db51958
commit 033f9fa
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/bootstrap-script.sh b/bootstrap-script.sh
@@ -2,6 +2,19 @@
 
 set -xeuo pipefail
 
+declare -r HOST_CERTS="/.bottlerocket/certs"
+
+# Link host certs if present into container & run update-ca-trust
+link_host_certs() {
+  for cert in $(ls -1 "${HOST_CERTS}"); do
+    ln -s "${HOST_CERTS}/${cert}" "/etc/pki/ca-trust/source/anchors/${cert}"
+  done
+  # Update the CA trust to pickup the new certificates
+  update-ca-trust
+}
+
+[[ -d "${HOST_CERTS}" ]] && link_host_certs
+
 # Full path to the base64-encoded user data
 USER_DATA_PATH='/.bottlerocket/bootstrap-containers/current/user-data'