From d010ad8bcb4aa77dcd8797dcc7ab359a320876cd Mon Sep 17 00:00:00 2001 From: tm16-medma Date: Thu, 26 Mar 2026 16:28:09 +0100 Subject: [PATCH] Refine OVIS CA file handling and logging in setup script Updated the ovis-setup.sh script to support both .crt and .pem certificate files for OIDC providers. Enhanced validation of CA candidates with improved logging to indicate skipped non-certificate files and clarified messages regarding the presence of valid CA files. This ensures better feedback during the OVIS module initialization process. --- ccp/modules/ovis-setup.sh | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/ccp/modules/ovis-setup.sh b/ccp/modules/ovis-setup.sh index c1561b65..6b20bf1c 100644 --- a/ccp/modules/ovis-setup.sh +++ b/ccp/modules/ovis-setup.sh @@ -18,14 +18,27 @@ if [ -n "$ENABLE_OVIS" ]; then if [ -d "$TRUSTED_CA_DIR" ]; then shopt -s nullglob - ca_cert_candidates=("$TRUSTED_CA_DIR"/*.crt) + ca_candidates=("$TRUSTED_CA_DIR"/*.crt "$TRUSTED_CA_DIR"/*.pem) shopt -u nullglob - if [ ${#ca_cert_candidates[@]} -gt 0 ]; then - OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_cert_candidates[*]}")" - log INFO "OVIS oauth2-proxy will trust OIDC provider CA files from $TRUSTED_CA_DIR (*.crt)." + if [ ${#ca_candidates[@]} -gt 0 ]; then + valid_ca_files=() + for candidate in "${ca_candidates[@]}"; do + if [ -f "$candidate" ] && grep -q "BEGIN CERTIFICATE" "$candidate"; then + valid_ca_files+=("$candidate") + else + log WARN "Skipping non-certificate OIDC CA candidate: $candidate" + fi + done + + if [ ${#valid_ca_files[@]} -gt 0 ]; then + OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${valid_ca_files[*]}")" + log INFO "OVIS oauth2-proxy will trust OIDC provider CA files from $TRUSTED_CA_DIR (*.crt/*.pem certificates only)." + else + log INFO "No valid OIDC CA certificate files found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only." + fi else - log INFO "No *.crt files found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only." + log INFO "No OIDC CA candidates (*.crt/*.pem) found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only." fi else log INFO "Trusted CA directory $TRUSTED_CA_DIR is missing; oauth2-proxy will use system trust store only."