No support for adding custom certificate chains

This is probably more useful in curtin, but I could see it being useful in cloud-init as well.

I expect this is more useful in curtin long-term, since those deploying in an environment with its own PKI infrastructure will be the primary users of this feature.

Having this in cloud-init would be good in case the certificates are needed during commissioning (i.e. to reach a TLS-protected MAAS URL), but I see that as lower priority.

Bottom line: for us to consider adding this feature to MAAS, it will probably need to be available in curtin first.

Oh, and by the way - this will do nothing about the spurious errors regarding entropy.ubuntu.com. (that certificate is pinned separately, by means of a root certificate present in the pollinate .deb)

One final note: if we can't reach entropy.ubuntu.com, it may look scary, but the error message is actually non-fatal.

curtin already supports a way to inject files into the target filesystem.

MAAS can collect the certificates and use curtin in-target to inject them as needed.

cloud-init has write_files support, so a similar workaround is possible.

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team

Thanks for your feature request, please could you start a thread over on our Discourse (https://discourse.maas.io) to discuss the feature?

adding custom CA certs via cloud-init can be done with the "ca_certs" module (https://cloudinit.readthedocs.io/en/latest/topics/modules.html#ca-certificates)

Do the certificates need to present for network configuration (IMDS data fetching)? In affirmative case, the certs cannot be injected using cloud-init config modules as this happen before the Network config stage. In negative case, cc_write_files or cc_ca_certs could be used and the cloud-init part of this ticket could be closed.

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2600