X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2a4fbc88b7a16a059b5eb62bf0a3f1b13ebfc72d..6a370a002d008dffaf9f47b7db3da47b40e57254:/services/crunch-run/crunchrun.go

diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index 2e475c72e6..10b3a61c88 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -257,6 +257,7 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
 
 	collectionPaths := []string{}
 	runner.Binds = nil
+	needCertMount := true
 
 	for bind, mnt := range runner.Container.Mounts {
 		if bind == "stdout" {
@@ -274,6 +275,9 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
 				return fmt.Errorf("Stdout path does not start with OutputPath: %s, %s", mnt.Path, prefix)
 			}
 		}
+		if bind == "/etc/arvados/ca-certificates.crt" {
+			needCertMount = false
+		}
 
 		switch {
 		case mnt.Kind == "collection":
@@ -355,6 +359,16 @@ func (runner *ContainerRunner) SetupMounts() (err error) {
 		return fmt.Errorf("Output path does not correspond to a writable mount point")
 	}
 
+	if wantAPI := runner.Container.RuntimeConstraints.API; needCertMount && wantAPI != nil && *wantAPI {
+		for _, certfile := range arvadosclient.CertFiles {
+			_, err := os.Stat(certfile)
+			if err == nil {
+				runner.Binds = append(runner.Binds, fmt.Sprintf("%s:/etc/arvados/ca-certificates.crt:ro", certfile))
+				break
+			}
+		}
+	}
+
 	if pdhOnly {
 		arvMountCmd = append(arvMountCmd, "--mount-by-pdh", "by_id")
 	} else {
@@ -898,10 +912,13 @@ func main() {
 	cgroupRoot := flag.String("cgroup-root", "/sys/fs/cgroup", "path to sysfs cgroup tree")
 	cgroupParent := flag.String("cgroup-parent", "docker", "name of container's parent cgroup (ignored if -cgroup-parent-subsystem is used)")
 	cgroupParentSubsystem := flag.String("cgroup-parent-subsystem", "", "use current cgroup for given subsystem as parent cgroup for container")
+	caCertsPath := flag.String("ca-certs", "/etc/arvados/ca-certificates.crt", "Path to TLS root certificates")
 	flag.Parse()
 
 	containerId := flag.Arg(0)
 
+	arvadosclient.CertFiles = []string{*caCertsPath}
+
 	api, err := arvadosclient.MakeArvadosClient()
 	if err != nil {
 		log.Fatalf("%s: %v", containerId, err)