From 033f9fadf6bde7f3c6685a32cef4845dfc160d02 Mon Sep 17 00:00:00 2001
From: Shikha Vyaghra <vyaghras@amazon.com>
Date: Sat, 1 Feb 2025 00:38:30 +0000
Subject: [PATCH] certs: link host certs if present

In certain cases, if host certificates are present at the path
'/.bottlerocket/certs', we would link them to the
ca-trust and update-ca-trust process to pickup the new certificates.
---
 bootstrap-script.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/bootstrap-script.sh b/bootstrap-script.sh
index be27cea..442f8d8 100755
--- a/bootstrap-script.sh
+++ b/bootstrap-script.sh
@@ -2,6 +2,19 @@
 
 set -xeuo pipefail
 
+declare -r HOST_CERTS="/.bottlerocket/certs"
+
+# Link host certs if present into container & run update-ca-trust
+link_host_certs() {
+  for cert in $(ls -1 "${HOST_CERTS}"); do
+    ln -s "${HOST_CERTS}/${cert}" "/etc/pki/ca-trust/source/anchors/${cert}"
+  done
+  # Update the CA trust to pickup the new certificates
+  update-ca-trust
+}
+
+[[ -d "${HOST_CERTS}" ]] && link_host_certs
+
 # Full path to the base64-encoded user data
 USER_DATA_PATH='/.bottlerocket/bootstrap-containers/current/user-data'