From 4f60bda412b3928f448d0722cd5456f274c68b71 Mon Sep 17 00:00:00 2001
From: Birajit Saikia <birajitsaikia@gmail.com>
Date: Fri, 3 Jan 2025 11:34:35 +0530
Subject: [PATCH] Fix handling of -cert parameter in inbound agent

Fixes #908

Add handling for the `-cert` parameter in `jenkins-agent` and `jenkins-agent.ps1` scripts.

## jenkins-agent
  - Add logic to handle the `-cert` parameter by reading the certificate file content.
  - Update the `exec` command to include the `-cert` parameter if provided.

## jenkins-agent.ps1
  - Add logic to handle the `-cert` parameter by reading the certificate file content.
  - Update the `Start-Process` command to include the `-cert` parameter if provided.

## debian/Dockerfile
  - Add instructions to copy the certificate file to the container.
  - Update the `ENTRYPOINT` to include the `-cert` parameter if provided.

## alpine/Dockerfile
  - Add instructions to copy the certificate file to the container.
  - Update the `ENTRYPOINT` to include the `-cert` parameter if provided.
---
 alpine/Dockerfile |  4 +++-
 debian/Dockerfile |  5 ++++-
 jenkins-agent     | 14 +++++++++++++-
 jenkins-agent.ps1 |  9 ++++++++-
 4 files changed, 28 insertions(+), 4 deletions(-)
 mode change 100755 => 100644 jenkins-agent

diff --git a/alpine/Dockerfile b/alpine/Dockerfile
index fe02bb543..a92cddf7d 100644
--- a/alpine/Dockerfile
+++ b/alpine/Dockerfile
@@ -91,6 +91,8 @@ ADD --chown="${user}":"${group}" "https://repo.jenkins-ci.org/public/org/jenkins
 RUN chmod 0644 /usr/share/jenkins/agent.jar \
   && ln -sf /usr/share/jenkins/agent.jar /usr/share/jenkins/slave.jar
 
+# Copy the certificate file to the container
+COPY ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 ENV JAVA_HOME=/opt/java/openjdk
 COPY --from=jre-build /javaruntime "$JAVA_HOME"
@@ -133,4 +135,4 @@ LABEL \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker-agent" \
     org.opencontainers.image.licenses="MIT"
 
-ENTRYPOINT ["/usr/local/bin/jenkins-agent"]
+ENTRYPOINT ["/usr/local/bin/jenkins-agent", "-cert", "@/etc/ssl/certs/ca-certificates.crt"]
diff --git a/debian/Dockerfile b/debian/Dockerfile
index 8e5d1b25f..eaaace698 100644
--- a/debian/Dockerfile
+++ b/debian/Dockerfile
@@ -135,6 +135,9 @@ RUN chmod +x /usr/local/bin/jenkins-agent &&\
     ln -s /usr/local/bin/jenkins-agent /usr/local/bin/jenkins-slave
 USER ${user}
 
+# Copy the certificate file to the container
+COPY ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
 LABEL \
   org.opencontainers.image.vendor="Jenkins project" \
   org.opencontainers.image.title="Official Jenkins Inbound Agent Base Docker image" \
@@ -144,4 +147,4 @@ LABEL \
   org.opencontainers.image.source="https://github.com/jenkinsci/docker-agent" \
   org.opencontainers.image.licenses="MIT"
 
-ENTRYPOINT ["/usr/local/bin/jenkins-agent"]
+ENTRYPOINT ["/usr/local/bin/jenkins-agent", "-cert", "@/etc/ssl/certs/ca-certificates.crt"]
diff --git a/jenkins-agent b/jenkins-agent
old mode 100755
new mode 100644
index 6589c25ec..615759e97
--- a/jenkins-agent
+++ b/jenkins-agent
@@ -133,9 +133,21 @@ else
 		esac
 	fi
 
+	# Handle the -cert parameter
+	CERT=""
+	for arg in "$@"; do
+		if [ "$arg" = "-cert" ]; then
+			CERT_FILE=true
+		elif [ "$CERT_FILE" = true ]; then
+			CERT_CONTENT=$(cat "$arg")
+			CERT="-cert $CERT_CONTENT"
+			CERT_FILE=false
+		fi
+	done
+
 	#TODO: Handle the case when the command-line and Environment variable contain different values.
 	#It is fine it blows up for now since it should lead to an error anyway.
 
-        exec $JAVA_BIN $JAVA_OPTIONS -jar $AGENT_FILE $SECRET $AGENT_NAME $TUNNEL $URL $WORKDIR $WEB_SOCKET $DIRECT $PROTOCOLS $INSTANCE_IDENTITY $REMOTING_OPTS "$@"
+        exec $JAVA_BIN $JAVA_OPTIONS -jar $AGENT_FILE $SECRET $AGENT_NAME $TUNNEL $URL $WORKDIR $WEB_SOCKET $DIRECT $PROTOCOLS $INSTANCE_IDENTITY $CERT $REMOTING_OPTS "$@"
 
 fi
diff --git a/jenkins-agent.ps1 b/jenkins-agent.ps1
index 2839c3892..d7b21cc1e 100644
--- a/jenkins-agent.ps1
+++ b/jenkins-agent.ps1
@@ -35,7 +35,8 @@ Param(
     $JenkinsJavaBin = '',
     $JavaHome = $env:JAVA_HOME,
     $JenkinsJavaOpts = '',
-    $RemotingOpts = ''
+    $RemotingOpts = '',
+    $Cert = '' # P7458
 )
 
 # Usage jenkins-agent.ps1 [options] -Url http://jenkins -Secret [SECRET] -Name [AGENT_NAME]
@@ -75,6 +76,7 @@ if(![System.String]::IsNullOrWhiteSpace($Cmd)) {
         'InstanceIdentity' = 'JENKINS_INSTANCE_IDENTITY';
         'Protocols' = 'JENKINS_PROTOCOLS';
         'RemotingOpts' = 'REMOTING_OPTS';
+        'Cert' = 'JENKINS_CERT' # P7458
     }
 
     # this does some trickery to update the variable from the CmdletBinding
@@ -147,6 +149,11 @@ if(![System.String]::IsNullOrWhiteSpace($Cmd)) {
         $AgentArguments += @('-protocols', $Protocols)
     }
 
+    if(![System.String]::IsNullOrWhiteSpace($Cert)) {
+        $CertContent = Get-Content -Path $Cert -Raw
+        $AgentArguments += @('-cert', $CertContent)
+    }
+
     if(![System.String]::IsNullOrWhiteSpace($JenkinsJavaBin)) {
         $JAVA_BIN = $JenkinsJavaBin
     } else {