From 37cf746f65cb00c54d217d0c042eea99ccbe909a Mon Sep 17 00:00:00 2001
From: Maximilian Linhoff <maximilian.linhoff@cta-observatory.org>
Date: Tue, 21 Apr 2026 15:15:39 +0200
Subject: [PATCH] Allow operators to disable updating system ca

---
 daemons/start-daemon.sh     | 6 +++++-
 server/docker-entrypoint.sh | 8 ++++++--
 ui/docker-entrypoint.sh     | 6 +++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/daemons/start-daemon.sh b/daemons/start-daemon.sh
index f4f6e254..6956224e 100755
--- a/daemons/start-daemon.sh
+++ b/daemons/start-daemon.sh
@@ -75,10 +75,14 @@ then
     done
 fi
 
-if [ -d /etc/grid-security/certificates ]; then
+# allow operators to disable updating the system trust store
+UPDATE_SYSTEM_TRUST="${UPDATE_SYSTEM_TRUST:-1}"
+if [[ "$UPDATE_SYSTEM_TRUST" == "1" && -d /etc/grid-security/certificates ]]; then
     echo 'Adding Grid CAs to the system trust.'
     cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
     update-ca-trust extract
+else
+    echo "Skipping system trust update."
 fi
 
 echo "starting daemon with: $RUCIO_DAEMON $RUCIO_DAEMON_ARGS"
diff --git a/server/docker-entrypoint.sh b/server/docker-entrypoint.sh
index 759591c4..ff8ce15a 100755
--- a/server/docker-entrypoint.sh
+++ b/server/docker-entrypoint.sh
@@ -92,12 +92,16 @@ then
     done
 fi
 
-if [ -d /etc/grid-security/certificates ]; then
+# allow operators to disable updating the system trust store
+UPDATE_SYSTEM_TRUST="${UPDATE_SYSTEM_TRUST:-1}"
+if [[ "$UPDATE_SYSTEM_TRUST" == "1" && -d /etc/grid-security/certificates ]]; then
     echo 'Adding Grid CAs to the system trust.'
     cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
     update-ca-trust extract
+else
+    echo "Skipping system trust update."
 fi
 
 pkill httpd || :
 sleep 2
-exec httpd -D FOREGROUND
\ No newline at end of file
+exec httpd -D FOREGROUND
diff --git a/ui/docker-entrypoint.sh b/ui/docker-entrypoint.sh
index 9150085b..abd5cda3 100755
--- a/ui/docker-entrypoint.sh
+++ b/ui/docker-entrypoint.sh
@@ -82,10 +82,14 @@ then
     done
 fi
 
-if [ -d /etc/grid-security/certificates ]; then
+# allow operators to disable updating the system trust store
+UPDATE_SYSTEM_TRUST="${UPDATE_SYSTEM_TRUST:-1}"
+if [[ "$UPDATE_SYSTEM_TRUST" == "1" && -d /etc/grid-security/certificates ]]; then
     echo 'Adding Grid CAs to the system trust.'
     cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
     update-ca-trust extract
+else
+    echo "Skipping system trust update."
 fi