From 3cb1d7041648486ce14f9ae0a21582700702753d Mon Sep 17 00:00:00 2001
From: tm16-medma <thewind.mom@medma.uni-heidelberg.de>
Date: Thu, 26 Mar 2026 16:16:21 +0100
Subject: [PATCH] Enhance OVIS setup script to handle missing CA directory and
 refine logging

Updated the ovis-setup.sh script to improve handling of the trusted CA directory, ensuring that the oauth2-proxy uses the system trust store if the directory is missing. Adjusted logging messages for clarity regarding the detection of custom OIDC CA files, specifically focusing on .crt files. Additionally, added a new environment variable for TLS_CA_CERTIFICATES_DIR in the ovis-compose.yml file to support trusted CA certificates.
---
 ccp/modules/ovis-compose.yml |  1 +
 ccp/modules/ovis-setup.sh    | 13 ++++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/ccp/modules/ovis-compose.yml b/ccp/modules/ovis-compose.yml
index c369ec87..40f71ca2 100644
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@@ -6,6 +6,7 @@ services:
     environment:
       - http_proxy=http://forward_proxy:3128
       - https_proxy=http://forward_proxy:3128
+      - TLS_CA_CERTIFICATES_DIR=/etc/bridgehead/trusted-ca-certs
       - OAUTH2_PROXY_USE_SYSTEM_TRUST_STORE=true
       - OAUTH2_PROXY_PROVIDER_CA_FILES=${OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES}
       - OAUTH2_PROXY_PROVIDER=oidc
diff --git a/ccp/modules/ovis-setup.sh b/ccp/modules/ovis-setup.sh
index e22fcfaa..f8458837 100644
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@@ -3,18 +3,21 @@
 if [ -n "$ENABLE_OVIS" ]; then
   log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
   TRUSTED_CA_DIR="/etc/bridgehead/trusted-ca-certs"
+  OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES=""
 
   if [ -d "$TRUSTED_CA_DIR" ]; then
     shopt -s nullglob
-    ca_candidates=("$TRUSTED_CA_DIR"/*.crt "$TRUSTED_CA_DIR"/*.pem)
+    ca_cert_candidates=("$TRUSTED_CA_DIR"/*.crt)
     shopt -u nullglob
 
-    if [ ${#ca_candidates[@]} -gt 0 ]; then
-      OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_candidates[*]}")"
-      log INFO "OVIS oauth2-proxy will trust custom OIDC CA files from $TRUSTED_CA_DIR."
+    if [ ${#ca_cert_candidates[@]} -gt 0 ]; then
+      OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_cert_candidates[*]}")"
+      log INFO "OVIS oauth2-proxy will trust OIDC provider CA files from $TRUSTED_CA_DIR (*.crt)."
     else
-      log INFO "No custom OIDC CA files (*.crt/*.pem) found in $TRUSTED_CA_DIR; using container system trust store only."
+      log INFO "No *.crt files found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only."
     fi
+  else
+    log INFO "Trusted CA directory $TRUSTED_CA_DIR is missing; oauth2-proxy will use system trust store only."
   fi
 
   OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"