Skip to content

Added CUSTOM_CERT_DIR and ad-hoc self signed cert generation#27

Open
richturner wants to merge 4 commits into
mainfrom
adhoc_seflsigned_generation
Open

Added CUSTOM_CERT_DIR and ad-hoc self signed cert generation#27
richturner wants to merge 4 commits into
mainfrom
adhoc_seflsigned_generation

Conversation

@richturner
Copy link
Copy Markdown
Member

@richturner richturner commented May 15, 2026

It wasn't possible to volume map in an additional directory of custom SSL certificates, with this change it is now easy to volume map the deployment-data volume to /data and load custom certs from /data/proxy/certs.

By generating the self signed cert on the fly at startup we avoid needing to renew it in the repo itself.

@richturner richturner requested a review from a team May 15, 2026 13:38
@richturner richturner self-assigned this May 15, 2026
@richturner richturner changed the title Added CUSTOM_CERT_DIR and ad-hoc seflsigned cert generation Added CUSTOM_CERT_DIR and ad-hoc sefl signed cert generation May 15, 2026
@richturner richturner marked this pull request as draft May 15, 2026 13:55
pankalog
pankalog reviewed May 15, 2026
View reviewed changes
Comment thread entrypoint.sh

# Generate a new certificate valid for 365 days
openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 365 \
-subj "/CN=localhost" \
Copy link
Copy Markdown
Member

@pankalog pankalog May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@richturner Shouldn't this be OR_HOSTNAME? From what I understand around the usage of OR_HOSTNAME, this function will be ran if OR_HOSTNAME is not an FQDN, so using localhost could block people from properly using it on other domain names.

Copy link
Copy Markdown
Member Author

@richturner richturner May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pankalog no the purpose of the self signed certificate is just as a final fallback if SNI fails to match a specific cert, it is bad practice to present a valid public FQDN in this scenario, this just replaces the previous selfsigned cert that was baked in

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@richturner richturner changed the title Added CUSTOM_CERT_DIR and ad-hoc sefl signed cert generation Added CUSTOM_CERT_DIR and ad-hoc self signed cert generation May 15, 2026
@richturner richturner marked this pull request as ready for review May 15, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pankalog pankalog pankalog left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@richturner richturner

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richturner @pankalog