Fix #35340: import ca certs in Docker container

LEDfan · LEDfan · commit 624062cc087a · 2026-01-05T15:43:02.000+01:00
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt
@@ -246,15 +246,16 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
                 }
 
                 copyTemplates(shinyProxy, dir)
+                val mountCaBundle = copyCaBundle(shinyProxy, inputDir, dir)
                 fileManager.createDirectories(dir.resolve("logs"))
                 val additioanlConfigFiles = copyAdditionalConfigFiles(shinyProxy, dir)
-
                 val envVars = arrayListOf("PROXY_VERSION=${version}", "PROXY_REALM_ID=${shinyProxy.realmId}", "SPRING_CONFIG_IMPORT_0=/opt/shinyproxy/generated.yml", "USE_SYSTEM_CA_CERTS=true")
+
                 val binds = mutableListOf(HostConfig.Bind.builder()
-                    .from(dockerSocket)
-                    .to("/var/run/docker.sock")
-                    .readOnly(true)
-                    .build(),
+                        .from(dockerSocket)
+                        .to("/var/run/docker.sock")
+                        .readOnly(true)
+                        .build(),
                     HostConfig.Bind.builder()
                         .from(dir.resolve("application.yml").toString())
                         .to("/opt/shinyproxy/application.yml")
@@ -279,6 +280,14 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
                         .to("/dev/termination-log")
                         .build())
 
+                if (mountCaBundle) {
+                    binds.add(HostConfig.Bind.builder()
+                        .from(dir.resolve("ca-bundle.crt").toString())
+                        .to("/certificates/ca-bundle.crt")
+                        .readOnly(true)
+                        .build())
+                }
+
                 for ((idx, file) in additioanlConfigFiles.withIndex()) {
                     val destination = "/opt/shinyproxy/${file}"
                     binds.add(HostConfig.Bind.builder()
@@ -291,36 +300,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
 
                 val hostConfigBuilder = HostConfig.builder()
                     .networkMode(SHARED_NETWORK_NAME)
-                    .binds(
-                        HostConfig.Bind.builder()
-                            .from(dockerSocket)
-                            .to("/var/run/docker.sock")
-                            .readOnly(true)
-                            .build(),
-                        HostConfig.Bind.builder()
-                            .from(dir.resolve("application.yml").toString())
-                            .to("/opt/shinyproxy/application.yml")
-                            .readOnly(true)
-                            .build(),
-                        HostConfig.Bind.builder()
-                            .from(dir.resolve("generated.yml").toString())
-                            .to("/opt/shinyproxy/generated.yml")
-                            .readOnly(true)
-                            .build(),
-                        HostConfig.Bind.builder()
-                            .from(dir.resolve("templates").toString())
-                            .to("/opt/shinyproxy/templates")
-                            .readOnly(true)
-                            .build(),
-                        HostConfig.Bind.builder()
-                            .from(logsDir.toString())
-                            .to("/opt/shinyproxy/logs")
-                            .build(),
-                        HostConfig.Bind.builder()
-                            .from(dir.resolve("termination-log").toString())
-                            .to("/dev/termination-log")
-                            .build(),
-                    )
+                    .binds(*binds.toTypedArray())
                     .groupAdd(dockerGID.toString())
                     .restartPolicy(HostConfig.RestartPolicy.always())
                     .memoryReservation(memoryToBytes(shinyProxy.memoryRequest))
@@ -412,6 +392,21 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
         return null
     }
 
+    private fun copyCaBundle(shinyProxy: ShinyProxy, inputDir: Path, dir: Path): Boolean {
+        var source = shinyProxy.getCaBundleFile(inputDir)
+        if (!source.isAbsolute) {
+            logger.warn { "${logPrefix(shinyProxy)} CA bundle path must be absolute, ignoring." }
+            return false
+        }
+        if (!source.exists() && !source.isRegularFile()) {
+            logger.debug { "${logPrefix(shinyProxy)} CA bundle '${source.absolutePathString()}' not found" }
+            return false
+        }
+        source.toFile().copyTo(dir.resolve("ca-bundle.crt").toFile(), true)
+        logger.info { "${logPrefix(shinyProxy)} CA bundle '${source.absolutePathString()}' copied" }
+        return true
+    }
+
     override suspend fun deleteInstance(shinyProxyInstance: ShinyProxyInstance) {
         val containers = dockerActions.getContainers(shinyProxyInstance)
         containers.forEach { container ->
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/FileSource.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/FileSource.kt
@@ -125,7 +125,7 @@ class FileSource(
                     channel.send(ShinyProxyEvent(ShinyProxyEventType.ADD, shinyProxy.realmId, name, NAMESPACE, null))
                 } else {
                     if (existingShinyProxy.hashOfCurrentSpec == shinyProxy.hashOfCurrentSpec) {
-                        val modified = shinyProxy.isReferencedFileMoreRecent(lastRun)
+                        val modified = shinyProxy.isReferencedFileMoreRecent(inputDir, lastRun)
                         if (modified.first) {
                             logger.info { "${logPrefix(shinyProxy.realmId)} [Update] Referenced file ${modified.second?.absolutePathString()} modified" }
                             channel.send(ShinyProxyEvent(ShinyProxyEventType.UPDATE_SPEC, shinyProxy.realmId, name, NAMESPACE, shinyProxy.hashOfCurrentSpec))
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/ShinyProxy.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/ShinyProxy.kt
@@ -24,6 +24,7 @@ import com.fasterxml.jackson.module.kotlin.convertValue
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import eu.openanalytics.shinyproxyoperator.model.ShinyProxy
 import java.nio.file.Path
+import kotlin.io.path.absolute
 import kotlin.io.path.exists
 import kotlin.io.path.getLastModifiedTime
 import kotlin.io.path.isRegularFile
@@ -59,8 +60,18 @@ fun ShinyProxy.getAdditionalConfigFiles(): List<Path> {
     return listOf()
 }
 
-fun ShinyProxy.isReferencedFileMoreRecent(lastModified: Long): Pair<Boolean, Path?> {
-    val files = listOf(getCaddyTlsCertFile(), getCaddyTlsKeyFile()) + getAdditionalConfigFiles()
+fun ShinyProxy.getCaBundleFile(inputDir: Path): Path {
+    if (getSpec().get("caBundleFile")?.isTextual == true) {
+        return Path.of(getSpec().get("caBundleFile").textValue())
+    }
+    if (getSpec().get("ca-bundle-file")?.isTextual == true) {
+        return Path.of(getSpec().get("ca-bundle-file").textValue())
+    }
+    return inputDir.resolve("ca-bundle.crt").absolute()
+}
+
+fun ShinyProxy.isReferencedFileMoreRecent(inputDir: Path, lastModified: Long): Pair<Boolean, Path?> {
+    val files = listOf(getCaddyTlsCertFile(), getCaddyTlsKeyFile(), getCaBundleFile(inputDir)) + getAdditionalConfigFiles()
     for (file in files) {
         if (file == null || !file.exists() || !file.isRegularFile()) {
             continue
