add trusted ca certificate support

Signed-off-by: Nick Petrovic <[email protected]>

Author: nickpetrovic

examples/default.yaml

@@ -103,6 +103,27 @@ ssh:
 # ADVANCED CONFIGURATION
 # ===================================================================== #
 
+caCerts:
+  # If set to `true`, this will remove all the default trusted CA certificates that
+  # are normally shipped with the OS.
+  # 🟢 Builtin default: false
+  removeDefaults: null
+
+  # A list of trusted CA certificate files. The files will be read and passed to cloud-init.
+  files:
+  # - examples/hello.crt
+
+  # A list of trusted CA certificates. These are directly passed to cloud-init.
+  certs:
+  # - |
+  #   -----BEGIN CERTIFICATE-----
+  #   YOUR-ORGS-TRUSTED-CA-CERT-HERE
+  #   -----END CERTIFICATE-----
+  # - |
+  #   -----BEGIN CERTIFICATE-----
+  #   YOUR-ORGS-TRUSTED-CA-CERT-HERE
+  #   -----END CERTIFICATE-----
+
 containerd:
   # Enable system-wide (aka rootful)  containerd and its dependencies (BuildKit, Stargz Snapshotter)
   # 🟢 Builtin default: false

pkg/cidata/cidata.TEMPLATE.d/user-data

@@ -52,3 +52,15 @@ resolv_conf:
   - {{$ns}}
   {{- end }}
 {{- end }}
+
+{{ with .CACerts }}
+ca-certs:
+  remove_defaults: {{ .RemoveDefaults }}
+  trusted:
+  {{- range $cert := .Trusted }}
+  - |
+    {{- range $line := $cert.Lines }}
+    {{ $line }}
+    {{- end }}
+  {{- end }}
+{{- end }}

pkg/cidata/cidata.go

@@ -186,6 +186,28 @@ func GenerateISO9660(instDir, name string, y *limayaml.LimaYAML, udpDNSLocalPort
 		}
 	}
 
+	args.CACerts.RemoveDefaults = y.CACertificates.RemoveDefaults
+
+	for _, path := range y.CACertificates.Files {
+		expanded, err := localpathutil.Expand(path)
+		if err != nil {
+			return err
+		}
+
+		content, err := os.ReadFile(expanded)
+		if err != nil {
+			return err
+		}
+
+		cert := getCert(string(content))
+		args.CACerts.Trusted = append(args.CACerts.Trusted, cert)
+	}
+
+	for _, content := range y.CACertificates.Certs {
+		cert := getCert(content)
+		args.CACerts.Trusted = append(args.CACerts.Trusted, cert)
+	}
+
 	if err := ValidateTemplateArgs(args); err != nil {
 		return err
 	}
@@ -244,3 +266,15 @@ func GuestAgentBinary(arch string) (io.ReadCloser, error) {
 	gaPath := filepath.Join(dir, "lima-guestagent.Linux-"+arch)
 	return os.Open(gaPath)
 }
+
+func getCert(content string) Cert {
+	lines := []string{}
+	for _, line := range strings.Split(content, "\n") {
+		if line == "" {
+			continue
+		}
+		lines = append(lines, strings.TrimSpace(line))
+	}
+	// return lines
+	return Cert{Lines: lines}
+}

pkg/cidata/template.go

@@ -19,6 +19,15 @@ var templateFS embed.FS
 
 const templateFSRoot = "cidata.TEMPLATE.d"
 
+type CACerts struct {
+	RemoveDefaults *bool
+	Trusted        []Cert
+}
+
+type Cert struct {
+	Lines []string
+}
+
 type Containerd struct {
 	System bool
 	User   bool
@@ -51,6 +60,7 @@ type TemplateArgs struct {
 	TCPDNSLocalPort int
 	Env             map[string]string
 	DNSAddresses    []string
+	CACerts         CACerts
 }
 
 func ValidateTemplateArgs(args TemplateArgs) error {

pkg/limayaml/defaults.go

@@ -72,6 +72,7 @@ func MACAddress(uniqueID string) string {
 // - Mounts are appended in d, y, o order, but "merged" when the Location matches a previous entry;
 //   the highest priority Writable setting wins.
 // - DNS are picked from the highest priority where DNS is not empty.
+// - CACertificates Files and Certs are uniquely appended
 func FillDefault(y, d, o *LimaYAML, filePath string) {
 	if y.Arch == nil {
 		y.Arch = d.Arch
@@ -450,6 +451,22 @@ func FillDefault(y, d, o *LimaYAML, filePath string) {
 		env[k] = v
 	}
 	y.Env = env
+
+	if y.CACertificates.RemoveDefaults == nil {
+		y.CACertificates.RemoveDefaults = d.CACertificates.RemoveDefaults
+	}
+	if o.CACertificates.RemoveDefaults != nil {
+		y.CACertificates.RemoveDefaults = o.CACertificates.RemoveDefaults
+	}
+	if y.CACertificates.RemoveDefaults == nil {
+		y.CACertificates.RemoveDefaults = pointer.Bool(false)
+	}
+
+	caFiles := unique(append(append(d.CACertificates.Files, y.CACertificates.Files...), o.CACertificates.Files...))
+	y.CACertificates.Files = caFiles
+
+	caCerts := unique(append(append(d.CACertificates.Certs, y.CACertificates.Certs...), o.CACertificates.Certs...))
+	y.CACertificates.Certs = caCerts
 }
 
 func FillPortForwardDefaults(rule *PortForward, instDir string) {
@@ -561,3 +578,15 @@ func Cname(host string) string {
 	}
 	return host
 }
+
+func unique(s []string) []string {
+	keys := make(map[string]bool)
+	list := []string{}
+	for _, entry := range s {
+		if _, found := keys[entry]; !found {
+			keys[entry] = true
+			list = append(list, entry)
+		}
+	}
+	return list
+}

pkg/limayaml/defaults_test.go

@@ -76,6 +76,9 @@ func TestFillDefault(t *testing.T) {
 			IPv6:    pointer.Bool(false),
 		},
 		PropagateProxyEnv: pointer.Bool(true),
+		CACertificates: CACertificates{
+			RemoveDefaults: pointer.Bool(false),
+		},
 	}
 	builtin.CPUType[arch] = "host"
 
@@ -126,6 +129,12 @@ func TestFillDefault(t *testing.T) {
 		Env: map[string]string{
 			"ONE": "Eins",
 		},
+		CACertificates: CACertificates{
+			Files: []string{"ca.crt"},
+			Certs: []string{
+				"-----BEGIN CERTIFICATE-----\nYOUR-ORGS-TRUSTED-CA-CERT\n-----END CERTIFICATE-----\n",
+			},
+		},
 	}
 
 	expect := builtin
@@ -179,6 +188,14 @@ func TestFillDefault(t *testing.T) {
 
 	expect.Env = y.Env
 
+	expect.CACertificates = CACertificates{
+		RemoveDefaults: pointer.Bool(false),
+		Files:          []string{"ca.crt"},
+		Certs: []string{
+			"-----BEGIN CERTIFICATE-----\nYOUR-ORGS-TRUSTED-CA-CERT\n-----END CERTIFICATE-----\n",
+		},
+	}
+
 	FillDefault(&y, &LimaYAML{}, &LimaYAML{}, filePath)
 	assert.DeepEqual(t, &y, &expect, opts...)
 
@@ -267,6 +284,12 @@ func TestFillDefault(t *testing.T) {
 			"ONE": "one",
 			"TWO": "two",
 		},
+		CACertificates: CACertificates{
+			RemoveDefaults: pointer.Bool(true),
+			Certs: []string{
+				"-----BEGIN CERTIFICATE-----\nYOUR-ORGS-TRUSTED-CA-CERT\n-----END CERTIFICATE-----\n",
+			},
+		},
 	}
 
 	expect = d
@@ -282,6 +305,10 @@ func TestFillDefault(t *testing.T) {
 		"default.": d.HostResolver.Hosts["default"],
 	}
 	expect.MountType = pointer.String(REVSSHFS)
+	expect.CACertificates.RemoveDefaults = pointer.Bool(true)
+	expect.CACertificates.Certs = []string{
+		"-----BEGIN CERTIFICATE-----\nYOUR-ORGS-TRUSTED-CA-CERT\n-----END CERTIFICATE-----\n",
+	}
 
 	y = LimaYAML{}
 	FillDefault(&y, &d, &LimaYAML{}, filePath)
@@ -413,6 +440,9 @@ func TestFillDefault(t *testing.T) {
 			"TWO":   "deux",
 			"THREE": "trois",
 		},
+		CACertificates: CACertificates{
+			RemoveDefaults: pointer.Bool(true),
+		},
 	}
 
 	y = filledDefaults
@@ -451,6 +481,12 @@ func TestFillDefault(t *testing.T) {
 	// ONE remains from filledDefaults.Env; the rest are set from o
 	expect.Env["ONE"] = y.Env["ONE"]
 
+	expect.CACertificates.RemoveDefaults = pointer.Bool(true)
+	expect.CACertificates.Files = []string{"ca.crt"}
+	expect.CACertificates.Certs = []string{
+		"-----BEGIN CERTIFICATE-----\nYOUR-ORGS-TRUSTED-CA-CERT\n-----END CERTIFICATE-----\n",
+	}
+
 	FillDefault(&y, &d, &o, filePath)
 	assert.DeepEqual(t, &y, &expect, opts...)
 }

pkg/limayaml/limayaml.go

@@ -30,6 +30,7 @@ type LimaYAML struct {
 	HostResolver      HostResolver      `yaml:"hostResolver,omitempty" json:"hostResolver,omitempty"`
 	UseHostResolver   *bool             `yaml:"useHostResolver,omitempty" json:"useHostResolver,omitempty"` // DEPRECATED, use `HostResolver.Enabled` instead
 	PropagateProxyEnv *bool             `yaml:"propagateProxyEnv,omitempty" json:"propagateProxyEnv,omitempty"`
+	CACertificates    CACertificates    `yaml:"caCerts,omitempty" json:"caCerts,omitempty"`
 }
 
 type Arch = string
@@ -155,6 +156,12 @@ type HostResolver struct {
 	Hosts   map[string]string `yaml:"hosts,omitempty" json:"hosts,omitempty"`
 }
 
+type CACertificates struct {
+	RemoveDefaults *bool    `yaml:"removeDefaults,omitempty" json:"removeDefaults,omitempty"` // default: false
+	Files          []string `yaml:"files,omitempty" json:"files,omitempty"`
+	Certs          []string `yaml:"certs,omitempty" json:"certs,omitempty"`
+}
+
 // DEPRECATED types below
 
 // Types have been renamed to turn all references to the old names into compiler errors,