From e3d7facf59df81520815b52998a43a688c7cfeff Mon Sep 17 00:00:00 2001
From: Zespre Chang <zespre.chang@suse.com>
Date: Wed, 11 Oct 2023 15:44:28 +0800
Subject: [PATCH 1/3] fix(certs): auto-install ca retrieved from rancher

Signed-off-by: Zespre Chang <zespre.chang@suse.com>
---
 pkg/cacerts/cacerts.go | 24 ++++++++++++++++++++++++
 pkg/plan/bootstrap.go  |  8 ++++++++
 2 files changed, 32 insertions(+)

diff --git a/pkg/cacerts/cacerts.go b/pkg/cacerts/cacerts.go
index 08bc867..56c09a5 100644
--- a/pkg/cacerts/cacerts.go
+++ b/pkg/cacerts/cacerts.go
@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/rancher/rancherd/pkg/tpm"
+	"github.com/rancher/system-agent/pkg/applyinator"
 	"github.com/rancher/wrangler/pkg/randomtoken"
 )
 
@@ -161,6 +162,29 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 	return data, hashHex(data), nil
 }
 
+func ToUpdateCACertificatesInstruction() (*applyinator.Instruction, error) {
+	cmd := "update-ca-certificates"
+
+	return &applyinator.Instruction{
+		Name:       "update-ca-certificates",
+		SaveOutput: true,
+		Command:    cmd,
+	}, nil
+}
+
+func ToFile(server, token string) (*applyinator.File, error) {
+	cacert, _, err := CACerts(server, token, true)
+	if err != nil {
+		return nil, err
+	}
+
+	return &applyinator.File{
+		Content:     base64.StdEncoding.EncodeToString(cacert),
+		Path:        "/etc/pki/trust/anchors/additional-ca.pem",
+		Permissions: "0644",
+	}, nil
+}
+
 func hashHex(token []byte) string {
 	hash := sha256.Sum256(token)
 	return hex.EncodeToString(hash[:])
diff --git a/pkg/plan/bootstrap.go b/pkg/plan/bootstrap.go
index 5d7ed83..de8f08d 100644
--- a/pkg/plan/bootstrap.go
+++ b/pkg/plan/bootstrap.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/rancher/system-agent/pkg/applyinator"
 
+	"github.com/rancher/rancherd/pkg/cacerts"
 	"github.com/rancher/rancherd/pkg/config"
 	"github.com/rancher/rancherd/pkg/discovery"
 	"github.com/rancher/rancherd/pkg/join"
@@ -50,9 +51,15 @@ func toJoinPlan(cfg *config.Config, dataDir string) (*applyinator.Plan, error) {
 	}
 
 	plan := plan{}
+	if err := plan.addFile(cacerts.ToFile(cfg.Server, cfg.Token)); err != nil {
+		return nil, err
+	}
 	if err := plan.addFile(join.ToScriptFile(cfg, dataDir)); err != nil {
 		return nil, err
 	}
+	if err := plan.addInstruction(cacerts.ToUpdateCACertificatesInstruction()); err != nil {
+		return nil, err
+	}
 	if err := plan.addInstruction(join.ToInstruction(cfg, dataDir)); err != nil {
 		return nil, err
 	}
@@ -202,6 +209,7 @@ func (p *plan) addFiles(cfg *config.Config, dataDir string) error {
 
 	// rancher values.yaml
 	return p.addFile(rancher.ToFile(cfg, dataDir))
+
 }
 
 func (p *plan) addFile(file *applyinator.File, err error) error {

From f5bec64b30efe2044712878573621531e389ac1a Mon Sep 17 00:00:00 2001
From: Zespre Chang <zespre.chang@suse.com>
Date: Thu, 12 Oct 2023 16:26:24 +0800
Subject: [PATCH 2/3] Avoid name conflict with additional-ca

Signed-off-by: Zespre Chang <zespre.chang@suse.com>
---
 pkg/cacerts/cacerts.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cacerts/cacerts.go b/pkg/cacerts/cacerts.go
index 56c09a5..c7df2ba 100644
--- a/pkg/cacerts/cacerts.go
+++ b/pkg/cacerts/cacerts.go
@@ -180,7 +180,7 @@ func ToFile(server, token string) (*applyinator.File, error) {
 
 	return &applyinator.File{
 		Content:     base64.StdEncoding.EncodeToString(cacert),
-		Path:        "/etc/pki/trust/anchors/additional-ca.pem",
+		Path:        "/etc/pki/trust/anchors/embedded-rancher-ca.pem",
 		Permissions: "0644",
 	}, nil
 }

From 951e36868214cb9144e1061679bf9c44e987417e Mon Sep 17 00:00:00 2001
From: Zespre Chang <zespre.chang@suse.com>
Date: Mon, 23 Oct 2023 08:55:19 +0800
Subject: [PATCH 3/3] Fix instruction name typo

Signed-off-by: Zespre Chang <zespre.chang@suse.com>
---
 pkg/rancher/wait.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/rancher/wait.go b/pkg/rancher/wait.go
index e17e7c3..6e2921d 100644
--- a/pkg/rancher/wait.go
+++ b/pkg/rancher/wait.go
@@ -44,7 +44,7 @@ func ToWaitSUCInstruction(imageOverride, systemDefaultRegistry, k8sVersion strin
 		return nil, fmt.Errorf("resolving location of %s: %w", os.Args[0], err)
 	}
 	return &applyinator.Instruction{
-		Name:       "wait-rancher-webhook",
+		Name:       "wait-system-upgrade-controller",
 		SaveOutput: true,
 		Args:       []string{"retry", kubectl.Command(k8sVersion), "-n", "cattle-system", "rollout", "status", "-w", "deploy/system-upgrade-controller"},
 		Env:        kubectl.Env(k8sVersion),