Change how systemroot is created

tmshort · tmshort · commit fca9175388bd · 2025-04-15T12:37:00.000-04:00
Signed-off-by: Todd Short &lt;tshort@redhat.com&gt;
diff --git a/internal/shared/util/http/certutil.go b/internal/shared/util/http/certutil.go
@@ -5,46 +5,92 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/go-logr/logr"
 )
 
-func NewCertPool(caDir string, log logr.Logger) (*x509.CertPool, error) {
-	caCertPool, err := x509.SystemCertPool()
+func readCertFile(pool *x509.CertPool, file string, log logr.Logger) (int, error) {
+	var count int
+	// These might be symlinks pointing to directories, so use Stat() to resolve
+	fi, err := os.Stat(file)
 	if err != nil {
-		return nil, err
+		return count, err
 	}
-	if caDir == "" {
-		return caCertPool, nil
+	if fi.IsDir() {
+		log.V(defaultLogLevel).Info("skip directory", "name", file)
+		return count, nil
 	}
+	log.V(defaultLogLevel).Info("load certificate", "name", file, "size", fi.Size(), "modtime", fi.ModTime())
+	data, err := os.ReadFile(file)
+	if err != nil {
+		return count, fmt.Errorf("error reading cert file %q: %w", file, err)
+	}
+	// The return indicates if any certs were added
+	if pool.AppendCertsFromPEM(data) {
+		count++
+	}
+	logPem(data, filepath.Base(file), filepath.Dir(file), "loading certificate file", log)
+
+	return count, nil
+}
 
-	dirEntries, err := os.ReadDir(caDir)
+func readCertDir(pool *x509.CertPool, dir string, log logr.Logger) (int, error) {
+	dirEntries, err := os.ReadDir(dir)
 	if err != nil {
-		return nil, err
+		return 0, err
 	}
-	count := 0
+	var count int
 
 	for _, e := range dirEntries {
-		file := filepath.Join(caDir, e.Name())
-		// These might be symlinks pointing to directories, so use Stat() to resolve
-		fi, err := os.Stat(file)
+		file := filepath.Join(dir, e.Name())
+		c, err := readCertFile(pool, file, log)
 		if err != nil {
-			return nil, err
+			return count, err
 		}
-		if fi.IsDir() {
-			log.V(defaultLogLevel).Info("skip directory", "name", e.Name())
-			continue
-		}
-		log.V(defaultLogLevel).Info("load certificate", "name", e.Name(), "size", fi.Size(), "modtime", fi.ModTime())
-		data, err := os.ReadFile(file)
+		count += c
+	}
+	return count, nil
+}
+
+// This function looks explicitly at the SSL environment, and
+// uses it to create a "fresh" system cert pool
+func systemCertPool(log logr.Logger) (*x509.CertPool, error) {
+	sslCertDir := os.Getenv("SSL_CERT_DIR")
+	sslCertFile := os.Getenv("SSL_CERT_FILE")
+	if sslCertDir == "" && sslCertFile == "" {
+		log.V(defaultLogLevel).Info("SystemCertPool: SSL environment not set")
+		return x509.SystemCertPool()
+	}
+	log.V(defaultLogLevel).Info("SystemCertPool: SSL environment set", "SSL_CERT_DIR", sslCertDir, "SSL_CERT_FILE", sslCertFile)
+	pool := x509.NewCertPool()
+	for _, d := range strings.Split(sslCertDir, ":") {
+		_, err := readCertDir(pool, d, log)
 		if err != nil {
-			return nil, fmt.Errorf("error reading cert file %q: %w", file, err)
+			return nil, err
 		}
-		// The return indicates if any certs were added
-		if caCertPool.AppendCertsFromPEM(data) {
-			count++
+	}
+	for _, d := range strings.Split(sslCertFile, ":") {
+		_, err := readCertFile(pool, d, log)
+		if err != nil {
+			return nil, err
 		}
-		logPem(data, e.Name(), caDir, "loading certificate file", log)
+	}
+	return pool, nil
+}
+
+func NewCertPool(caDir string, log logr.Logger) (*x509.CertPool, error) {
+	caCertPool, err := systemCertPool(log)
+	if err != nil {
+		return nil, err
+	}
+
+	if caDir == "" {
+		return caCertPool, nil
+	}
+	count, err := readCertDir(caCertPool, caDir, log)
+	if err != nil {
+		return nil, err
 	}
 
 	// Found no certs!
