From 67007987c7e6e27476eb1388e749685824933c4b Mon Sep 17 00:00:00 2001 From: davdhacs <105243888+davdhacs@users.noreply.github.com> Date: Wed, 25 Mar 2026 17:16:22 -0600 Subject: [PATCH 1/2] refactor: Consolidate CA trust setup into import-additional-cas Merge trust-root-ca into import-additional-cas to align with how stackrox/stackrox handles CA trust (single script, single update-ca-trust call). This eliminates a redundant update-ca-trust invocation and simplifies the entrypoint. Changes: - Add copy_single() to import-additional-cas for the StackRox root CA at /run/secrets/stackrox.io/certs/ca.pem - Remove trust-root-ca script and its references in entrypoint.sh and create-bundle.sh - update-ca-trust extract --output is now called once instead of twice Co-Authored-By: Claude Opus 4.6 (1M context) --- image/scanner/rhel/create-bundle.sh | 1 - image/scanner/scripts/entrypoint.sh | 1 - image/scanner/scripts/import-additional-cas | 11 +++++++++++ image/scanner/scripts/trust-root-ca | 16 ---------------- 4 files changed, 11 insertions(+), 18 deletions(-) delete mode 100755 image/scanner/scripts/trust-root-ca diff --git a/image/scanner/rhel/create-bundle.sh b/image/scanner/rhel/create-bundle.sh index 993fee6b7..dac612a3c 100755 --- a/image/scanner/rhel/create-bundle.sh +++ b/image/scanner/rhel/create-bundle.sh @@ -41,7 +41,6 @@ cp "${INPUT_ROOT}/scripts/entrypoint.sh" "${OUTPUT_DIR}/scripts" cp "${INPUT_ROOT}/scripts/import-additional-cas" "${OUTPUT_DIR}/scripts" cp "${INPUT_ROOT}/scripts/restore-all-dir-contents" "${OUTPUT_DIR}/scripts" cp "${INPUT_ROOT}/scripts/save-dir-contents" "${OUTPUT_DIR}/scripts" -cp "${INPUT_ROOT}/scripts/trust-root-ca" "${OUTPUT_DIR}/scripts" # ============================================================================= # Add binaries and data files to be included in the Dockerfile here. This diff --git a/image/scanner/scripts/entrypoint.sh b/image/scanner/scripts/entrypoint.sh index 152964903..c0bc81c98 100755 --- a/image/scanner/scripts/entrypoint.sh +++ b/image/scanner/scripts/entrypoint.sh @@ -4,6 +4,5 @@ set -euo pipefail /restore-all-dir-contents /import-additional-cas -/trust-root-ca exec /scanner diff --git a/image/scanner/scripts/import-additional-cas b/image/scanner/scripts/import-additional-cas index def33dfa8..198e3a918 100755 --- a/image/scanner/scripts/import-additional-cas +++ b/image/scanner/scripts/import-additional-cas @@ -22,6 +22,17 @@ copy_existing /usr/local/share/ca-certificates # Copy the custom trusted CA bundles injected by the Openshift Network Operator. copy_existing /etc/pki/injected-ca-trust +# Copy the StackRox root CA if available (mounted by the operator). +# Only copy ca.pem — the mount also contains server cert and key which +# should not be added as trusted CA anchors. +CA_PATH="/run/secrets/stackrox.io/certs/ca.pem" +if [ -f "$CA_PATH" ]; then + echo "Copying StackRox root CA from '$CA_PATH'" + cp -v -L "$CA_PATH" /etc/pki/ca-trust/source/anchors/ +else + echo "No StackRox root CA found at $CA_PATH" +fi + echo "Updating CA trust" # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust # will create the necessary directories with the required permissions if the `--output` flag is used. diff --git a/image/scanner/scripts/trust-root-ca b/image/scanner/scripts/trust-root-ca deleted file mode 100755 index 548ff8c90..000000000 --- a/image/scanner/scripts/trust-root-ca +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -CA_PATH="/run/secrets/stackrox.io/certs/ca.pem" - -# For RHEL -cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem - -# Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust -# will create the necessary directories with the required permissions if the `--output` flag is used. -# See https://bugzilla.redhat.com/show_bug.cgi?id=2241240 for background. -# -# tl,dr: update-ca-trust extract, when giving the `--output` flag behaves differently with respect -# to filesystem permissions and this is the behaviour we need for containerized environments. -update-ca-trust extract --output /etc/pki/ca-trust/extracted From 26540dcffe821557be61fa107f2a60b1053c5bcd Mon Sep 17 00:00:00 2001 From: davdhacs <105243888+davdhacs@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:49:43 -0600 Subject: [PATCH 2/2] merge trust-root-ca into import-additional-cas --- image/scanner/scripts/import-additional-cas | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/image/scanner/scripts/import-additional-cas b/image/scanner/scripts/import-additional-cas index 198e3a918..d3bfe544a 100755 --- a/image/scanner/scripts/import-additional-cas +++ b/image/scanner/scripts/import-additional-cas @@ -26,12 +26,9 @@ copy_existing /etc/pki/injected-ca-trust # Only copy ca.pem — the mount also contains server cert and key which # should not be added as trusted CA anchors. CA_PATH="/run/secrets/stackrox.io/certs/ca.pem" -if [ -f "$CA_PATH" ]; then - echo "Copying StackRox root CA from '$CA_PATH'" - cp -v -L "$CA_PATH" /etc/pki/ca-trust/source/anchors/ -else - echo "No StackRox root CA found at $CA_PATH" -fi +echo "Copying StackRox root CA from '${CA_PATH}'" +# For RHEL +cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem echo "Updating CA trust" # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust