fix(edge): configure persisted mTLS certificates on start-up [BE-11622] (#437)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: oscarzhou <oscar.zhou@portainer.io> Co-authored-by: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
2025-07-19 13:29:41 +02:00 · 2025-02-19 02:46:39 +01:00 · 2025-02-19 02:46:39 +01:00 · 41c1d88615
commit 41c1d88615
parent df8673ba40
2 changed files with 34 additions and 14 deletions
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@ -841,11 +841,11 @@ func (service *Service) GetDefaultSSLCertsPath() (string, string) {
 }
 func defaultMTLSCertPathUnderFileStore() (string, string, string) {
 	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	caCertPath := JoinPaths(SSLCertPath, MTLSCACertFilename)
 	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	keyPath := JoinPaths(SSLCertPath, MTLSKeyFilename)
-	return certPath, caCertPath, keyPath
+	return caCertPath, certPath, keyPath
 }
 // GetDefaultChiselPrivateKeyPath returns the chisle private key path
@ -1014,26 +1014,45 @@ func CreateFile(path string, r io.Reader) error {
 	return err
 }
-func (service *Service) StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error) {
+func (service *Service) StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error) {
-	certPath, caCertPath, keyPath := defaultMTLSCertPathUnderFileStore()
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
-	r := bytes.NewReader(cert)
+	r := bytes.NewReader(caCert)
-	err := service.createFileInStore(certPath, r)
+	if err := service.createFileInStore(caCertPath, r); err != nil {
 	if err != nil {
 		return "", "", "", err
 	}
-	r = bytes.NewReader(caCert)
+	r = bytes.NewReader(cert)
-	err = service.createFileInStore(caCertPath, r)
+	if err := service.createFileInStore(certPath, r); err != nil {
 	if err != nil {
 		return "", "", "", err
 	}
 	r = bytes.NewReader(key)
-	err = service.createFileInStore(keyPath, r)
+	if err := service.createFileInStore(keyPath, r); err != nil {
 	if err != nil {
 		return "", "", "", err
 	}
-	return service.wrapFileStore(certPath), service.wrapFileStore(caCertPath), service.wrapFileStore(keyPath), nil
+	return service.wrapFileStore(caCertPath), service.wrapFileStore(certPath), service.wrapFileStore(keyPath), nil
 }
 func (service *Service) GetMTLSCertificates() (string, string, string, error) {
 	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
 	caCertPath = service.wrapFileStore(caCertPath)
 	certPath = service.wrapFileStore(certPath)
 	keyPath = service.wrapFileStore(keyPath)
 	paths := [...]string{caCertPath, certPath, keyPath}
 	for _, path := range paths {
 		exists, err := service.FileExists(path)
 		if err != nil {
 			return "", "", "", err
 		}
 		if !exists {
 			return "", "", "", fmt.Errorf("file %s does not exist", path)
 		}
 	}
 	return caCertPath, certPath, keyPath, nil
 }
--- a/api/portainer.go
+++ b/api/portainer.go
@ -1491,7 +1491,8 @@ type (
 		StoreSSLCertPair(cert, key []byte) (string, string, error)
 		CopySSLCertPair(certPath, keyPath string) (string, string, error)
 		CopySSLCACert(caCertPath string) (string, error)
-		StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error)
+		StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error)
 		GetMTLSCertificates() (string, string, string, error)
 		GetDefaultChiselPrivateKeyPath() string
 		StoreChiselPrivateKey(privateKey []byte) error
 	}