From abc89a98ccd003d4baf01868637eff944d9a37d1 Mon Sep 17 00:00:00 2001
From: rtkapiper <andy.piper@arcticwolf.com>
Date: Fri, 14 Jul 2023 00:50:30 +0000
Subject: debootstrap_plugin: optionally install TLS Certificate Authority
 certs

Add an optional `tls_ca_certs` key which takes a list of paths to TLS
Certificate Authority (CA) cert files to install in the image after the
debootstrap process has completed. This allows the use of package
repositories with HTTPS transports that use TLS certificates issued by
private CAs. Note that the CA cert files being installed must have a
`.crt` suffix in order to be used.
---
 vmdb/plugins/debootstrap.mdwn      |  7 +++++++
 vmdb/plugins/debootstrap_plugin.py | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/vmdb/plugins/debootstrap.mdwn b/vmdb/plugins/debootstrap.mdwn
index 6784096..adef40c 100644
--- a/vmdb/plugins/debootstrap.mdwn
+++ b/vmdb/plugins/debootstrap.mdwn
@@ -29,6 +29,13 @@ Step keys:
 * `include` &mdash; OPTIONAL; a list of additional packages for
   debootstrap to install.
 
+* `tls_ca_certs` &mdash; OPTIONAL; a list of paths to TLS Certificate
+  Authority (CA) cert files to install in the image after the debootstrap
+  process has completed. This allows the use of package repositories with
+  HTTPS transports that use TLS certificates issued by private CAs.
+  Note that the CA cert files being installed must have a `.crt` suffix
+  in order to be used.
+
 Example (in the .vmdb file):
 
     - debootstrap: buster
diff --git a/vmdb/plugins/debootstrap_plugin.py b/vmdb/plugins/debootstrap_plugin.py
index 2040fdb..b7e9843 100644
--- a/vmdb/plugins/debootstrap_plugin.py
+++ b/vmdb/plugins/debootstrap_plugin.py
@@ -40,6 +40,7 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface):
             "components": ["main"],
             "include": [],
             "require_empty_target": True,
+            "tls_ca_certs": [],
         }
 
     def run(self, values, settings, state):
@@ -49,6 +50,7 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface):
         mirror = values["mirror"]
         keyring = values["keyring"] or None
         install_keyring = values["install_keyring"]
+        tls_ca_certs = values["tls_ca_certs"]
         include = values["include"]
         require_empty = values["require_empty_target"]
         arch = values["arch"] or state.arch
@@ -68,6 +70,10 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface):
                     f"debootstrap target {target} is a not an empty directory: {names}"
                 )
 
+        bad_certs = [c for c in tls_ca_certs if not c.endswith(".crt")]
+        if bad_certs:
+            raise RuntimeError(f'TLS cert(s) do not have a ".crt" suffix: {bad_certs}')
+
         cmd = [
             "debootstrap",
             "--arch",
@@ -101,6 +107,18 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface):
             vmdb.runcmd_chroot(target, ["apt-key", "add", f"/{keyring_basename}"])
             os.remove(chroot_keyring)
 
+        if tls_ca_certs:
+            for ca_cert in tls_ca_certs:
+                target_cert_path = os.path.join(
+                    target,
+                    "usr/local/share/ca-certificates",
+                    os.path.basename(ca_cert),
+                )
+
+                shutil.copyfile(ca_cert, target_cert_path)
+                vmdb.progress(f"Copied {ca_cert} -> {target_cert_path}")
+            vmdb.runcmd_chroot(target, ["update-ca-certificates"])
+
         if remove_pkgs:
             vmdb.runcmd_chroot(
                 target,
-- 
cgit v1.2.1