🌱 Change how systemroot is created when SSL_CERT environment is set #1921

tmshort · 2025-04-15T16:37:31Z

Description

The x509.SystemCertPool() looks at the SSL_CERT_FILE and SSL_CERT_DIR
environment variables to generate the pool. However, if the contents of
the referenced file (singular) or directories (multiple) change, there
is no guarantee that x509.SystemCertPool() will be updated. Since we
are watching these locations (defined by the environment) via fsnotify,
we want to ensure that when those files are updated that the cert pool
we use is also updated.

So, if SSL_CERT_FILE or SSL_CERT_DIR are defined, create our cert pool
from those variable only, ignoring the x509.SystemCertPool().

This is how the x509.SystemCertPool() would be created, so we do it
explicitly instead. This allows us to properly refresh the pool when
fsnotify tells us there are changes to our watches.

This does not impact images/containers (i.e. impage pulling) directly,
since that still uses x509.SystemCertPool(), so it may get a stale pool,
but the catalogd client will have an up-to-date pool.

See: https://pkg.go.dev/crypto/x509#SystemCertPool

Reviewer Checklist

API Go Documentation
Tests: Unit Tests (and E2E Tests, if appropriate)
Comprehensive Commit Messages
Links to related GitHub Issue(s)

netlify · 2025-04-15T16:38:23Z

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	`e7e60b3`
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/6800084cec5a100008e4c0e7
😎 Deploy Preview	https://deploy-preview-1921--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

codecov · 2025-04-15T19:42:55Z

Codecov Report

Attention: Patch coverage is 74.07407% with 21 lines in your changes missing coverage. Please review.

Project coverage is 66.14%. Comparing base (543f099) to head (e7e60b3).
Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/shared/util/http/certutil.go	74.07%	15 Missing and 6 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1921      +/-   ##
==========================================
+ Coverage   66.06%   66.14%   +0.08%     
==========================================
  Files          70       70              
  Lines        6182     6238      +56     
==========================================
+ Hits         4084     4126      +42     
- Misses       1839     1849      +10     
- Partials      259      263       +4

Flag	Coverage Δ
e2e	`45.22% <54.32%> (+0.05%)`	⬆️
unit	`55.45% <70.37%> (+0.20%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The x509.SystemCertPool() looks at the SSL_CERT_FILE and SSL_CERT_DIR environment variables to generate the pool. However, if the contents of the referenced file (singular) or directories (multiple) change, there is no guarantee that x509.SystemCertPool() will be updated. Since we are watching these locations (defined by the environment) via fsnotify, we want to ensure that when those files are updated that the cert pool we use is also updated. So, if SSL_CERT_FILE or SSL_CERT_DIR are defined, create our cert pool from those variable _only_, ignoring the x509.SystemCertPool(). This is how the x509.SystemCertPool() would be created, so we do it explicitly instead. This allows us to properly refresh the pool when fsnotify tells us there are changes to our watches. This does not impact images/containers (i.e. impage pulling) directly, since that still uses x509.SystemCertPool(), so it may get a stale pool, but the catalogd client will have an up-to-date pool. See: https://pkg.go.dev/crypto/x509#SystemCertPool Signed-off-by: Todd Short <[email protected]>

tmshort · 2025-04-23T13:33:01Z

closing, not needed.

tmshort requested a review from a team as a code owner April 15, 2025 16:37

openshift-ci bot requested review from bentito and grokspawn April 15, 2025 16:37

tmshort added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 15, 2025

tmshort force-pushed the system-pool branch 3 times, most recently from e4a6247 to aedd2bd Compare April 15, 2025 19:34

tmshort force-pushed the system-pool branch from aedd2bd to 0750d17 Compare April 16, 2025 14:21

tmshort force-pushed the system-pool branch from 0750d17 to e7e60b3 Compare April 16, 2025 19:43

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 16, 2025

tmshort changed the title ~~🌱 Change how systemroot is created~~ 🌱 Change how systemroot is created when SSL_CERT environment is set Apr 16, 2025

tmshort closed this Apr 23, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🌱 Change how systemroot is created when SSL_CERT environment is set #1921

🌱 Change how systemroot is created when SSL_CERT environment is set #1921

tmshort commented Apr 15, 2025 •

edited

Loading

netlify bot commented Apr 15, 2025 •

edited

Loading

codecov bot commented Apr 15, 2025 •

edited

Loading

tmshort commented Apr 23, 2025

🌱 Change how systemroot is created when SSL_CERT environment is set #1921

🌱 Change how systemroot is created when SSL_CERT environment is set #1921

Conversation

tmshort commented Apr 15, 2025 • edited Loading

Description

Reviewer Checklist

netlify bot commented Apr 15, 2025 • edited Loading

✅ Deploy Preview for olmv1 ready!

codecov bot commented Apr 15, 2025 • edited Loading

Codecov Report

tmshort commented Apr 23, 2025

tmshort commented Apr 15, 2025 •

edited

Loading

netlify bot commented Apr 15, 2025 •

edited

Loading

codecov bot commented Apr 15, 2025 •

edited

Loading