From 23d4d502040121c9b3ba4baf6843794f06054eeb Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Tue, 4 Feb 2025 01:37:19 +0100
Subject: [PATCH] allow setting certificate allowlist

---
 README.md                                          |  1 +
 openvoxdb/Containerfile                            |  1 +
 .../30-certificate-allowlist.sh                    | 14 ++++++++++++++
 3 files changed, 16 insertions(+)
 create mode 100755 openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh

diff --git a/README.md b/README.md
index 78f2d7f..4883618 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ podman pull ghcr.io/openvoxproject/openvoxdb:8.9.0-v1.2.3
 | **DNS_ALT_NAMES**                       | Additional DNS names to add to the services SSL certificate<br><br>Unset                                                                |
 | **WAITFORCERT**                         | Number of seconds to wait for certificate to be signed<br><br>`120`                                                                     |
 | **USE_OPENVOXSERVER**                    | Set to `false` to skip acquiring SSL certificates from a Puppet Server.<br><br>`true`                                                   |
+| **OPENVOXDB_CERTIFICATE_ALLOWLIST**       | Set to a comma seaprated list of allowed certnames.<br><br>`""`                                                                        |
 | **OPENVOXSERVER_HOSTNAME**               | The DNS hostname of the puppet server<br><br>`puppet`                                                                                   |
 | **OPENVOXSERVER_PORT**                   | The port of the puppet server<br><br>`8140`                                                                                             |
 | **OPENVOXDB_POSTGRES_HOSTNAME**         | The DNS hostname of the postgres service<br><br>`postgres`                                                                              |
diff --git a/openvoxdb/Containerfile b/openvoxdb/Containerfile
index 3697b16..0cdb0e2 100644
--- a/openvoxdb/Containerfile
+++ b/openvoxdb/Containerfile
@@ -43,6 +43,7 @@ ENV CERTNAME="openvoxdb" \
     OPENVOXDB_REPORT_TTL=14d \
     OPENVOXDB_POSTGRES_USER=openvoxdb \
     UBUNTU_VERSION="24.04" \
+    OPENVOXDB_CERTIFICATE_ALLOWLIST="" \
     USE_OPENVOXSERVER=true \
     WAITFORCERT=""
 
diff --git a/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh b/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh
new file mode 100755
index 0000000..905a904
--- /dev/null
+++ b/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+hocon() {
+  /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon "$@"
+}
+
+if [ "$OPENVOXDB_CERTIFICATE_ALLOWLIST" != "" ]; then
+  hocon -f /etc/puppetlabs/puppetdb/conf.d/puppetdb.conf set puppetdb.certificate-allowlist certificate-allowlist
+  IFS=','
+  for cert in $OPENVOXDB_CERTIFICATE_ALLOWLIST; do
+    echo $cert >> /opt/puppetlabs/server/apps/puppetdb/certificate-allowlist
+  done
+fi
+