Enable containers to add CAs to the trust store on start up

[brianaydemir]

This PR makes two improvements to our container images.

The primary improvement is to entrypoint.sh, which now scans /certs for certificates (*.crt files) and adds them to the container's trust store, assuming their extendedKeyUsage includes serverAuth (see also: OpenSSL's documentation). During development and testing, this should help minimize, if not eliminate, the need to resort to TLSSkipVerify: true or similar, especially for those programs that might not be aware of Pelican's configuration (e.g., curl).

Note

There is hypothetically a backwards compatibility concern given that I chose to scan /certs based on where We™ currently seem to bind mount certificates into containers. That said, I would find it passing strange for a container to mount a certificate it doesn't trust but presumably expects the rest of the world to trust.

The secondary improvements are to the container image build process (the Dockerfile), which are intended to facilitate repeated image builds by improving layer caching and not building unnecessary binaries.

[brianaydemir]

For testing, I've been using something like the following framework:

• 2025-12-29-pelican-test-framework.tar.gz

Of special note is the ./certs/.init.sh script, which provides an example how to create and use a CA. (You'll probably want to modify environment.cfg to refer to your own container images.)

Once you've got the containers up and running, you can try things like:

# Check for errors in the entrypoint script.
$ docker logs pelican-director-1 2>&1 | less

# Check whether we need to skip certificate validation.
$ docker exec -it pelican-director-1 bash -il
[root@director pelican]# curl https://registry:8444/
<a href="/view/">Found</a>.

[root@director pelican]# curl https://origin-0:8444/
<a href="/view/">Found</a>.

[root@director pelican]# curl https://cache-0:8444/
<a href="/view/">Found</a>.