feat(rpm): replace init-pki.sh with openshell-gateway generate-certs

crates/openshell-bootstrap/src/pki.rs

@@ -17,13 +17,17 @@ pub struct PkiBundle {
     pub client_key_pem: String,
 }
 
-/// Default SANs always included on the server certificate.
+/// Default SANs always included on the server certificate. Covers the host
+/// aliases used by every supported runtime: Kubernetes service DNS,
+/// `host.docker.internal` for Docker Desktop and rootless Docker on Linux,
+/// and `host.containers.internal` for Podman containers reaching their host.
 const DEFAULT_SERVER_SANS: &[&str] = &[
     "openshell",
     "openshell.openshell.svc",
     "openshell.openshell.svc.cluster.local",
     "localhost",
     "host.docker.internal",
+    "host.containers.internal",
     "127.0.0.1",
 ];
 

deploy/man/openshell-gateway.8.md

@@ -134,13 +134,14 @@ View logs:
     journalctl --user -u openshell-gateway
     journalctl --user -u openshell-gateway -f
 
-The unit runs two **ExecStartPre** scripts on first start:
+The unit runs two **ExecStartPre** steps on first start:
 
-1. **init-pki.sh** generates a self-signed PKI bundle for mTLS.
+1. **openshell-gateway generate-certs --output-dir** generates a
+   self-signed PKI bundle for mTLS.
 2. **init-gateway-env.sh** generates the environment configuration
    file with an auto-generated SSH handshake secret.
 
-Both scripts are idempotent and skip generation if their output files
+Both steps are idempotent and skip generation if their output files
 already exist.
 
 To persist the service across logouts:
@@ -167,9 +168,6 @@ This creates a drop-in override that persists across package upgrades.
 */usr/lib/systemd/user/openshell-gateway.service*
 :   Systemd user unit file.
 
-*/usr/libexec/openshell/init-pki.sh*
-:   PKI bootstrap script.
-
 */usr/libexec/openshell/init-gateway-env.sh*
 :   Gateway environment file generator.
 

deploy/rpm/CONFIGURATION.md

@@ -14,8 +14,10 @@ though it listens on all interfaces (`0.0.0.0`).
 
 ### Auto-generated certificates
 
-On first start, the `init-pki.sh` script generates certificates using
-OpenSSL:
+On first start, the gateway's `ExecStartPre` runs
+`openshell-gateway generate-certs --output-dir <state-dir>/openshell/tls`,
+which generates the certificates with `rcgen` (the same routine the CLI
+uses for local mTLS bundles):
 
 | File | Purpose | Location |
 |------|---------|----------|
@@ -245,7 +247,7 @@ For air-gapped environments:
 | Gateway binary | `/usr/bin/openshell-gateway` |
 | CLI binary | `/usr/bin/openshell` |
 | Systemd user unit | `/usr/lib/systemd/user/openshell-gateway.service` |
-| PKI bootstrap script | `/usr/libexec/openshell/init-pki.sh` |
+| PKI bootstrap | `openshell-gateway generate-certs` (run from `ExecStartPre`) |
 | Env generator script | `/usr/libexec/openshell/init-gateway-env.sh` |
 | TLS certificates | `~/.local/state/openshell/tls/` |
 | CLI client certs | `~/.config/openshell/gateways/openshell/mtls/` |

deploy/rpm/init-gateway-env.sh

@@ -77,9 +77,10 @@ OPENSHELL_SSH_HANDSHAKE_SECRET=${SECRET}
 #OPENSHELL_SANDBOX_IMAGE_PULL_POLICY=missing
 
 # ---- TLS (mTLS enabled by default) ----
-# PKI is auto-generated by init-pki.sh on first start. Client certs are
-# placed in ~/.config/openshell/gateways/openshell/mtls/ so the CLI
-# discovers them automatically.
+# PKI is auto-generated by 'openshell-gateway generate-certs' from the
+# unit's ExecStartPre on first start. Client certs are placed in
+# ~/.config/openshell/gateways/openshell/mtls/ so the CLI discovers them
+# automatically.
 #
 # To use externally-managed certs, uncomment and edit the paths below.
 # To rotate certs, delete ~/.local/state/openshell/tls/ and restart.

openshell.spec

@@ -149,9 +149,10 @@ Type=exec
 # CLI discovers them automatically.
 # See /usr/share/doc/openshell-gateway/ for details.
 
-# Auto-generate PKI on first start if not present.
-# %%S expands to $XDG_STATE_HOME (~/.local/state) in user units.
-ExecStartPre=%{_libexecdir}/openshell/init-pki.sh %%S/openshell/tls
+# Auto-generate PKI on first start. Idempotent: skips when all six PEMs are
+# already in place. %%S expands to $XDG_STATE_HOME (~/.local/state) in user
+# units.
+ExecStartPre=/usr/bin/openshell-gateway generate-certs --output-dir %%S/openshell/tls
 
 # Auto-generate gateway.env (SSH handshake secret + commented config
 # reference) on first start if not present.
@@ -186,9 +187,8 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 WantedBy=default.target
 EOF
 
-# --- PKI bootstrap script and gateway env generator ---
+# --- Gateway env generator ---
 install -d %{buildroot}%{_libexecdir}/%{name}
-install -pm 0755 deploy/rpm/init-pki.sh %{buildroot}%{_libexecdir}/%{name}/init-pki.sh
 install -pm 0755 deploy/rpm/init-gateway-env.sh %{buildroot}%{_libexecdir}/%{name}/init-gateway-env.sh
 # Patch commented image defaults to match the build type (dev or latest).
 # The source file uses :latest as a generic reference; the installed copy
@@ -275,7 +275,6 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{python3} -c "from importlib.metadata
 %doc %{_docdir}/%{name}-gateway/TROUBLESHOOTING.md
 %{_bindir}/%{name}-gateway
 %{_userunitdir}/%{name}-gateway.service
-%{_libexecdir}/%{name}/init-pki.sh
 %{_libexecdir}/%{name}/init-gateway-env.sh
 %{_mandir}/man8/openshell-gateway.8*
 %{_mandir}/man5/openshell-gateway.env.5*