Remove unused CA certificate handling from OVIS setup script and compose file

Eliminated the environment variables and volume mounts related to trusted CA certificates in both the ovis-compose.yml and ovis-setup.sh files. This streamlines the configuration by relying solely on the system trust store for OIDC provider communication, simplifying the initialization process for the OVIS module.
2026-04-01 01:00:16 +02:00 · 2026-03-26 17:03:53 +01:00
parent d010ad8bcb
commit c8bb9259db
2 changed files with 1 additions and 48 deletions
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@@ -6,9 +6,6 @@ services:
    environment:
      - http_proxy=http://forward_proxy:3128
      - https_proxy=http://forward_proxy:3128
-      - TLS_CA_CERTIFICATES_DIR=/etc/bridgehead/trusted-ca-certs
-      - OAUTH2_PROXY_USE_SYSTEM_TRUST_STORE=true
-      - OAUTH2_PROXY_PROVIDER_CA_FILES=${OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES}
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
@@ -30,8 +27,6 @@ services:
      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_USER_GROUP}
      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/etc/bridgehead/trusted-ca-certs:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@@ -1,49 +1,7 @@
 #!/bin/bash -e

 if [ -n "$ENABLE_OVIS" ]; then
-  log INFO ""
-  log INFO "######################################################################"
-  log INFO "#    ___ __     _______ ____    __  __  ___  ____  _   _ _     _____ #"
-  log INFO "#   / _ \\ \   / /_ _/ ___|   |  \\/  |/ _ \\|  _ \\| | | | |   | ____|#"
-  log INFO "#  | | | |\\ \\ / / | |\\___ \\   | |\\/| | | | | | | | | | |   |  _|  #"
-  log INFO "#  | |_| | \\ V /  | | ___) |  | |  | | |_| | |_| | |_| | |___| |___ #"
-  log INFO "#   \\___/   \\_/  |___|____/   |_|  |_|\\___/|____/ \\___/|_____|_____|#"
-  log INFO "#                                                                    #"
-  log INFO "#          OVIS MODULE ENABLED - INITIALIZING AUTH + ROUTING         #"
-  log INFO "######################################################################"
-  log INFO ""
  log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
-  TRUSTED_CA_DIR="/etc/bridgehead/trusted-ca-certs"
-  OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES=""
-
-  if [ -d "$TRUSTED_CA_DIR" ]; then
-    shopt -s nullglob
-    ca_candidates=("$TRUSTED_CA_DIR"/*.crt "$TRUSTED_CA_DIR"/*.pem)
-    shopt -u nullglob
-
-    if [ ${#ca_candidates[@]} -gt 0 ]; then
-      valid_ca_files=()
-      for candidate in "${ca_candidates[@]}"; do
-        if [ -f "$candidate" ] && grep -q "BEGIN CERTIFICATE" "$candidate"; then
-          valid_ca_files+=("$candidate")
-        else
-          log WARN "Skipping non-certificate OIDC CA candidate: $candidate"
-        fi
-      done
-
-      if [ ${#valid_ca_files[@]} -gt 0 ]; then
-        OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${valid_ca_files[*]}")"
-        log INFO "OVIS oauth2-proxy will trust OIDC provider CA files from $TRUSTED_CA_DIR (*.crt/*.pem certificates only)."
-      else
-        log INFO "No valid OIDC CA certificate files found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only."
-      fi
-    else
-      log INFO "No OIDC CA candidates (*.crt/*.pem) found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only."
-    fi
-  else
-    log INFO "Trusted CA directory $TRUSTED_CA_DIR is missing; oauth2-proxy will use system trust store only."
-  fi
-
  OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
  add_private_oidc_redirect_url "/oauth2-ovis/callback"
-fi
+fi