Add support for cloud-init ca-certs field

[philomory]

Is your feature request related to a problem? Please describe.
I'd like to add a private CA as a trusted root to k3os. Cloud-init provides a way to accomplish this, via the ca-certs parameter, but k3os doesn't seem to support this parameter.

Describe the solution you'd like
I'd like k3os to support using ca-certs.trusted in the cloud-init data to add trusted root CAs (while leaving the existing trusted roots in place unless ca-certs.remove-defaults is set to true).

Describe alternatives you've considered
I considered manually adding the certificate using write_files, but this is difficult to do correctly due to a bug in k3os's implementation of update-ca-certificates (#518).

[dweomer]

The workaround in #518 should be something you can capture in a write_files + run_cmd:

Actually I made a workaround:

Moved the /etc/ssl/certs/ca-certificates.crt to /usr/local/share/ca-certificates
Manually append all wanted certificates with cat *.crt >> /usr/local/share/ca-certificates/ca-certificates.crt
Created directory mkdir -p /etc/ca-certificates/update.d/
Executed command sudo update-ca-certificates

[philomory]

Was this closed because a workaround exists, or because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter.

[philomory]

@dweomer I was wondering about the reasoning behind closing this issue? Was it closed simply because a workaround exists, or was it closed because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter rather than requiring this sort of non-obvious, error-prone workaround. Even if the bug in #518 was fixed, the cloud-init ca-certs parameter would still be preferable to using write_files and run_cmd to add the certificate.

[dweomer]

@dweomer I was wondering about the reasoning behind closing this issue? Was it closed simply because a workaround exists, or was it closed because there has been an affirmative decision to reject the feature request? Personally I'd still like to see k3os support the standard cloud-init ca-certs parameter rather than requiring this sort of non-obvious, error-prone workaround. Even if the bug in #518 was fixed, the cloud-init ca-certs parameter would still be preferable to using write_files and run_cmd to add the certificate.

@philomory apologies for missing your original follow-up: I am happy to re-open this but I must also admit that I do not foresee working on this anytime soon. It would definitely be nice to have!

[philomory]

@dweomer I've tracked down the underlying reason for #518 and have submitted a PR to fix it in #818; my intent is to follow up with a second PR that adds the cloudinit ca-certs functionality once update-ca-certificates itself works as intended.