From ee77aea099f721851845a83b671a644d8bb4c980 Mon Sep 17 00:00:00 2001
From: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Date: Wed, 3 Jun 2026 12:27:20 +0000
Subject: [PATCH] fix(initdata): split multi-cert PEM into one
 extra_root_certificates entry each

generateCDHToml was putting the entire certPEM string (which may
contain multiple PEM-encoded certificates from --cacert <multi-cert>
or --capath <dir>) as a single extra_root_certificates array element.

The validate command already enforced that each element must contain
exactly one certificate. The create path now matches: it decodes the
PEM block by block and appends each certificate as its own array entry.

Before: extra_root_certificates = ["cert1\ncert2"]  (combined, rejected by validate)
After:  extra_root_certificates = ["cert1", "cert2"]  (one per element, accepted)
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
---
 pkg/initdata/initdata.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/initdata/initdata.go b/pkg/initdata/initdata.go
index d364d4c..0d0433e 100644
--- a/pkg/initdata/initdata.go
+++ b/pkg/initdata/initdata.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"compress/gzip"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"os"
@@ -224,7 +225,22 @@ func generateCDHToml(cfg *config.CocoConfig, caCert string, imagePullSecrets []I
 		}
 
 		if caCert != "" {
-			imageConfig["extra_root_certificates"] = []string{caCert}
+			// Split the PEM into one entry per certificate so that each element
+			// in extra_root_certificates contains exactly one certificate.
+			// This matches what initdata validate enforces.
+			var entries []string
+			rest := []byte(caCert)
+			for {
+				var block *pem.Block
+				block, rest = pem.Decode(rest)
+				if block == nil {
+					break
+				}
+				entries = append(entries, string(pem.EncodeToMemory(block)))
+			}
+			if len(entries) > 0 {
+				imageConfig["extra_root_certificates"] = entries
+			}
 		}
 
 		if len(imageConfig) > 0 {