Symlinks in local directory are silently ignored by update-ca-certificates
update-ca-certificates (in package ca-certificates) silently ignores
symlinks added to /usr/local/share/ca-certificates/.
This makes things difficult when, for example, configuring Kubernetes
mount certificates into this directory using its configMap volumeMount
feature; all the files Kubernetes creates are symlinks to normal files in a
mount directory that it places elsewhere (./..data/).
If excluding symlinks is intentional (why?) then I would expect the
update-ca-certificates program to at least print a warning message for any
it finds when it runs.
Demo: below, I write some dummy data to two files in
/usr/local/share/ca-certificates, one a normal file and one a symlink, then
run update-ca-certificates. I would expect to see warnings generated for
both, but we only see a warning for one; the symlink has been ignored.
$ docker run -it —rm alpine /bin/sh
/ # apk update
OK: 7961 distinct packages available
/ # apk add ca-certificates
(1/1) Installing ca-certificates (20161130-r1)
OK: 5 MiB in 12 packages
/ # echo foo >/usr/local/share/ca-certificates/foo.crt
/ # echo bar >/tmp/bar.crt
/ # ln -s /tmp/bar.crt /usr/local/share/ca-certificates/bar.crt
/ # update-ca-certificates
WARNING: ca-certificates.crt does not contain exactly one certificate or
WARNING: ca-cert-foo.pem does not contain exactly one certificate or CRL:
(from redmine: issue id 7253, created on 2017-04-27)