Added support for custom SSL certificate

basecamp · Sep 24, 2024 · a64fd3d · a64fd3d
1 parent 4a13803
commit a64fd3d
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 0 deletions.
diff --git a/lib/kamal/configuration/docs/proxy.yml b/lib/kamal/configuration/docs/proxy.yml
@@ -98,3 +98,19 @@ proxy:
   # By default kamal-proxy will not forward the headers the ssl option is set to true, and
   # will forward them if it is set to false.
   forward_headers: true
+
+  # SSL certificate path
+  #
+  # The path to the custom SSL certificate for the host when not using Let's Encrypt.
+  # The certificate must be in PEM format and contain the full chain.
+  #
+  # SSL private key path must also be set.
+  ssl_certificate_path: /data/cert/foo.example.com/fullchain.pem
+
+  # SSL private key path
+  #
+  # The path to the custom SSL private key for the host when not using Let's Encrypt.
+  # The key must be in PEM format.
+  #
+  # SSL certificate path must also be set.
+  ssl_private_key_path: /data/cert/foo.example.com/privkey.pem
diff --git a/lib/kamal/configuration/proxy.rb b/lib/kamal/configuration/proxy.rb
@@ -30,6 +30,8 @@ def deploy_options
     {
       host: proxy_config["host"],
       tls: proxy_config["ssl"],
+      "tls-certificate-path": proxy_config["ssl_certificate_path"],
+      "tls-private-key-path": proxy_config["ssl_private_key_path"],
       "deploy-timeout": seconds_duration(config.deploy_timeout),
       "drain-timeout": seconds_duration(config.drain_timeout),
       "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),

diff --git a/lib/kamal/configuration/validator/proxy.rb b/lib/kamal/configuration/validator/proxy.rb
@@ -6,6 +6,14 @@ def validate!
       if config["host"].blank? && config["ssl"]
         error "Must set a host to enable automatic SSL"
       end
+
+      if config["ssl_certificate_path"].present? && config["ssl_private_key_path"].blank?
+        error "Must set a private key path to use a custom SSL certificate"
+      end
+
+      if config["ssl_private_key_path"].present? && config["ssl_certificate_path"].blank?
+        error "Must set a certificate path to use a custom SSL private key"
+      end
     end
   end
 end
diff --git a/test/commands/proxy_test.rb b/test/commands/proxy_test.rb
@@ -41,6 +41,14 @@ class CommandsProxyTest < ActiveSupport::TestCase
       new_command.run.join(" ")
   end
 
+  test "run with custom SSL certificate" do
+    @config[:proxy] = { "ssl" => true, "host" => "example.com", "ssl_certificate_path" => "/path/to/cert.pem", "ssl_private_key_path" => "/path/to/key.pem" }
+
+    assert_equal \
+      "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --publish 80:80 --publish 443:443 --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy --log-opt max-size=\"10m\" basecamp/kamal-proxy:#{Kamal::Configuration::PROXY_MINIMUM_VERSION}",
+      new_command.run.join(" ")
+  end
+
   test "proxy start" do
     assert_equal \
       "docker container start kamal-proxy",

diff --git a/test/configuration/proxy_test.rb b/test/configuration/proxy_test.rb
@@ -18,6 +18,16 @@ class ConfigurationEnvTest < ActiveSupport::TestCase
     assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
   end
 
+  test "ssl with certificate path and no private key path" do
+    @deploy[:proxy] = { "ssl" => true, "ssl_certificate_path" => "/path/to/cert.pem" }
+    assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
+  end
+
+  test "ssl with private key path and no certificate path" do
+    @deploy[:proxy] = { "ssl" => true, "ssl_private_key_path" => "/path/to/key.pem" }
+    assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
+  end
+
   private
     def config
       Kamal::Configuration.new(@deploy)