Also inject TLS certificate as a standalone file in /usr/local/share/ca-certificates when that directory exists (Ubuntu, Debian, Etc)

[segevfiner]

If you use a base image that does not have the (Ubuntu, Debian) package ca-certificates installed, installing it will regenerate /etc/ssl/certs/ca-certificates.pem without the TLS interception certificate, to make sure it is included in such a case as well, it should be injected to /usr/local/share/ca-certificates as well, and then either update-ca-certificates should be ran or just appending, creating /etc/ssl/certs/ca-certificates.pem to be overwritten when that package is installed.

[toksdotdev]

@segevfiner the best we could do is write the cert to /usr/local/share/ca-certificates, and make it the responsibility of the caller to explicitly run update-ca-certificates. we can't make assumptions of the latter since it varies across distros.

feel free to put up a PR for the first (and maybe a disclaimer around the docs to manually run the corresponding command based on their distro.

[segevfiner]

As long as we append it to ca-certificates.pem and also to that folder everything should work fine even if we execute update-ca-certificates, as the certificates will be there since we manually added it, and if update-ca-certificates happens to run due to e.g. apt, it will include the certificate as well in the newly generated ca-certificates.pem if we place it in that folder.

[segevfiner]

The problem is basically this:

microsandbox/crates/agentd/lib/tls.rs

Line 122 in b28e58d

if dir_path.is_dir() {

, since if we are in an image that doesn't have ca-certificates installed yet. The directory won't exist yet. So we might just need a different marker to tell into which directory to install, creating it if it doesn't exist, or install/create all of them.

[toksdotdev]

my bad for just getting to this (missed your message). yeah, that does make sense. i've put up a fix for this in #767