didericis-claude
a59da9921e
- Strip pipelock from all unit and integration test fixtures: proxy_plan fields removed from DockerBottlePlan/SmolmachinesBottlePlan constructors; pipelock-specific test classes deleted or renamed - Update test_sidecar_init: remove test_pipelock_loses_egress_tokens, rename "pipelock" daemon fixtures to "git-gate" throughout - Remove test_pipelock_binary_present_and_versioned from integration test - Remove test_pipelock_answers_on_bundle_ip from smolmachines launch test - Update _SANDBOX_BLOCK_MARKERS: remove "pipelock" marker (egress blocks) - Dockerfile.sidecars: remove pipelock build stage and COPY; update layout comments and port table - egress_entrypoint.sh: update comments now that egress is sole proxy - Clean up pipelock references in comments/docstrings across backend, network, manifest, supervise, git_gate, yaml_subset, agent_provider, sidecar_bundle, sidecar_init, egress_addon_core modules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 lines
1.5 KiB
Python
41 lines
1.5 KiB
Python
"""Install the per-bottle egress MITM CA into the agent container's
|
|
trust store.
|
|
|
|
By the time this provisioner runs, `egress_tls_init` has generated
|
|
the egress CA and the path is re-bound into `plan.egress_plan`.
|
|
|
|
Cert lands on Debian's standard source path
|
|
(`/usr/local/share/ca-certificates/`); `update-ca-certificates`
|
|
rebuilds `/etc/ssl/certs/ca-certificates.crt`, which is what curl,
|
|
Python `ssl`, and OpenSSL-based tools all read by default. The env
|
|
trio set on the agent's `docker run` covers Node
|
|
(`NODE_EXTRA_CA_CERTS`) and Python `requests` /
|
|
`SSL_CERT_FILE`-honoring libraries that don't load the system
|
|
bundle.
|
|
|
|
The fingerprint is computed via stdlib (`ssl.PEM_cert_to_DER_cert`
|
|
+ `hashlib.sha256`) and logged once to stderr. The private key
|
|
stays on the host (under `stage_dir`) until teardown wipes the
|
|
stage dir; nothing in the agent ever sees it."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from ... import Bottle
|
|
from ...util import AGENT_CA_PATH, log_ca_fingerprint, select_ca_cert
|
|
from ..bottle_plan import DockerBottlePlan
|
|
|
|
|
|
def provision_ca(plan: DockerBottlePlan, bottle: Bottle) -> None:
|
|
"""Copy the agent-facing CA cert into the agent, rebuild the
|
|
trust bundle, emit a one-line fingerprint log. Called from
|
|
`BottleBackend.provision` after the agent container is up."""
|
|
cert_host_path, label = select_ca_cert(plan.egress_plan)
|
|
|
|
bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
|
|
bottle.exec(
|
|
f"chmod 644 {AGENT_CA_PATH} && update-ca-certificates",
|
|
user="root",
|
|
)
|
|
|
|
log_ca_fingerprint(cert_host_path, label)
|