Restore LLM_CA_CERT_URLS support for corporate PKI HTTP cert delivery. Downloaded certificates are installed into the llm/ CA category and share the same system trust + NSS import path as CERTS_PATH-mounted certs. Changes: - certs.sh: add download_llm_ca_certs with HTTP-only curl policy, PEM/DER handling, retries, llm/ storage, hash symlinks for llm+custom - backend/agent entrypoints: run download before install_all_certs - compose/env/docs: expose LLM_CA_CERT_URLS again and update ADR-0009 - integration tests: cover PEM/DER/CER, invalid certs, non-HTTP skips, query-string filenames, private/server skips, empty inputs, combined LLM_CA_CERT_URLS + CERTS_PATH channels, and NSS imports Verified: - 194 passed, 1 skipped integration tests - full backend container smoke passed with testcontainers PostgreSQL - docker bundle rebuilt for 0.5.0
20 lines
600 B
Bash
20 lines
600 B
Bash
#!/usr/bin/env bash
|
|
# #region docker.agent.entrypoint [C:3] [TYPE Module] [SEMANTICS docker,agent,entrypoint,certs]
|
|
# @BRIEF Agent container entrypoint — install corporate CA certs, then start agent.
|
|
# @LAYER Infrastructure
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
CERTS_PATH="${CERTS_PATH:-/opt/certs}"
|
|
|
|
if [ -f "$SCRIPT_DIR/certs.sh" ]; then
|
|
source "$SCRIPT_DIR/certs.sh"
|
|
download_llm_ca_certs
|
|
install_all_certs
|
|
else
|
|
echo "[agent-entry] certs.sh not found — skipping corporate CA installation"
|
|
fi
|
|
|
|
exec python -m src.agent.run
|
|
# #endregion docker.agent.entrypoint
|