Merge pull request #4 from OpenVoxProject/add_certificate_allowlist

allow setting certificate allowlist
OpenVoxProject · Feb 4, 2025 · a03091d · a03091d
2 parents d87e31a + 23d4d50
commit a03091d
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ podman pull ghcr.io/openvoxproject/openvoxdb:8.9.0-v1.2.3
 | **DNS_ALT_NAMES**                       | Additional DNS names to add to the services SSL certificate<br><br>Unset                                                                |
 | **WAITFORCERT**                         | Number of seconds to wait for certificate to be signed<br><br>`120`                                                                     |
 | **USE_OPENVOXSERVER**                    | Set to `false` to skip acquiring SSL certificates from a Puppet Server.<br><br>`true`                                                   |
+| **OPENVOXDB_CERTIFICATE_ALLOWLIST**       | Set to a comma seaprated list of allowed certnames.<br><br>`""`                                                                        |
 | **OPENVOXSERVER_HOSTNAME**               | The DNS hostname of the puppet server<br><br>`puppet`                                                                                   |
 | **OPENVOXSERVER_PORT**                   | The port of the puppet server<br><br>`8140`                                                                                             |
 | **OPENVOXDB_POSTGRES_HOSTNAME**         | The DNS hostname of the postgres service<br><br>`postgres`                                                                              |

diff --git a/openvoxdb/Containerfile b/openvoxdb/Containerfile
@@ -43,6 +43,7 @@ ENV CERTNAME="openvoxdb" \
     OPENVOXDB_REPORT_TTL=14d \
     OPENVOXDB_POSTGRES_USER=openvoxdb \
     UBUNTU_VERSION="24.04" \
+    OPENVOXDB_CERTIFICATE_ALLOWLIST="" \
     USE_OPENVOXSERVER=true \
     WAITFORCERT=""
 

diff --git a/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh b/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+hocon() {
+  /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon "$@"
+}
+
+if [ "$OPENVOXDB_CERTIFICATE_ALLOWLIST" != "" ]; then
+  hocon -f /etc/puppetlabs/puppetdb/conf.d/puppetdb.conf set puppetdb.certificate-allowlist certificate-allowlist
+  IFS=','
+  for cert in $OPENVOXDB_CERTIFICATE_ALLOWLIST; do
+    echo $cert >> /opt/puppetlabs/server/apps/puppetdb/certificate-allowlist
+  done
+fi
+