From 8795e8bb0c5391e8531d53320c07cfee336275ba Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Thu, 26 Sep 2024 20:53:38 +0200
Subject: [PATCH] docker: Support adding CA certificates to system trust store.

---
 docker/README.md            | 2 ++
 docker/proxy/Dockerfile     | 5 +----
 docker/proxy/entrypoint.sh  | 8 +++++++-
 docker/server/Dockerfile    | 5 +----
 docker/server/entrypoint.sh | 8 +++++++-
 5 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/docker/README.md b/docker/README.md
index 28c76a11..b4003e46 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -68,6 +68,7 @@ The running container can be configured through different environment variables:
 - `GRPC_ETCD`: Set to `1` if etcd should be used to configure GRPC peers.
 - `GRPC_TARGET_PREFIX`: Key prefix of GRPC target entries.
 - `SKIP_VERIFY`: Set to `true` to skip certificate validation of backends and proxy servers. This should only be enabled during development, e.g. to work with self-signed certificates.
+- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.
 
 Example with two backends:
 
@@ -120,6 +121,7 @@ The running container can be configured through different environment variables:
 - `TOKEN_KEY_FORMAT`: Format of key name to retrieve the public key from, "%s" will be replaced with the token id.
 - `TOKENS`: Space-separated list of token ids.
 - `TOKEN_<ID>_KEY`: Filename of public key for token `ID` (where `ID` is the uppercase token id).
+- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.
 
 Example with two tokens:
 
diff --git a/docker/proxy/Dockerfile b/docker/proxy/Dockerfile
index 020cd1a2..fb78e036 100644
--- a/docker/proxy/Dockerfile
+++ b/docker/proxy/Dockerfile
@@ -13,17 +13,14 @@ FROM alpine:3
 
 ENV CONFIG=/config/proxy.conf
 RUN adduser -D spreedbackend && \
-    apk add --no-cache bash tzdata ca-certificates
+    apk add --no-cache bash tzdata ca-certificates su-exec
 
 COPY --from=builder /workdir/bin/proxy /usr/bin/nextcloud-spreed-signaling-proxy
 COPY ./proxy.conf.in /config/proxy.conf.in
 COPY ./docker/proxy/entrypoint.sh /
 COPY ./docker/proxy/stop.sh /
 COPY ./docker/proxy/wait.sh /
-RUN chown spreedbackend /config
 RUN /usr/bin/nextcloud-spreed-signaling-proxy -version
 
-USER spreedbackend
-
 STOPSIGNAL SIGUSR1
 ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/docker/proxy/entrypoint.sh b/docker/proxy/entrypoint.sh
index dd998971..5a2d2ff3 100755
--- a/docker/proxy/entrypoint.sh
+++ b/docker/proxy/entrypoint.sh
@@ -131,5 +131,11 @@ if [ ! -f "$CONFIG" ]; then
   fi
 fi
 
+if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
+  echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
+  cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
+  update-ca-certificates
+fi
+
 echo "Starting signaling proxy with $CONFIG ..."
-exec /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"
+exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"
diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
index 2e3e6324..9c59e7c1 100644
--- a/docker/server/Dockerfile
+++ b/docker/server/Dockerfile
@@ -13,17 +13,14 @@ FROM alpine:3
 
 ENV CONFIG=/config/server.conf
 RUN adduser -D spreedbackend && \
-    apk add --no-cache bash tzdata ca-certificates
+    apk add --no-cache bash tzdata ca-certificates su-exec
 
 COPY --from=builder /workdir/bin/signaling /usr/bin/nextcloud-spreed-signaling
 COPY ./server.conf.in /config/server.conf.in
 COPY ./docker/server/entrypoint.sh /
 COPY ./docker/server/stop.sh /
 COPY ./docker/server/wait.sh /
-RUN chown spreedbackend /config
 RUN /usr/bin/nextcloud-spreed-signaling -version
 
-USER spreedbackend
-
 STOPSIGNAL SIGUSR1
 ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/docker/server/entrypoint.sh b/docker/server/entrypoint.sh
index 0b11b925..dc3d08dc 100755
--- a/docker/server/entrypoint.sh
+++ b/docker/server/entrypoint.sh
@@ -269,5 +269,11 @@ if [ ! -f "$CONFIG" ]; then
   fi
 fi
 
+if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
+  echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
+  cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
+  update-ca-certificates
+fi
+
 echo "Starting signaling server with $CONFIG ..."
-exec /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"
+exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"