add support for custom certificates

test/cli/app_test.rb

@@ -220,6 +220,22 @@ class CliAppTest < CliTestCase
     end
   end
 
+  test "boot with custom ssl certificate" do
+    Kamal::Configuration::Proxy.any_instance.stubs(:custom_ssl_certificate?).returns(true)
+    Kamal::Configuration::Proxy.any_instance.stubs(:certificate_pem_content).returns("CERTIFICATE CONTENT")
+    Kamal::Configuration::Proxy.any_instance.stubs(:private_key_pem_content).returns("PRIVATE KEY CONTENT")
+
+    stub_running
+    run_command("boot", config: :with_proxy).tap do |output|
+      assert_match "Writing SSL certificates for web on 1.1.1.1", output
+      assert_match "mkdir -p .kamal/proxy/apps-config/app/tls", output
+      assert_match "sh -c [REDACTED]", output
+      assert_match "docker exec --user root kamal-proxy chown -R kamal-proxy:kamal-proxy", output
+      assert_match "--tls-certificate-path=\"/home/kamal-proxy/.apps-config/app/tls/cert.pem\"", output
+      assert_match "--tls-private-key-path=\"/home/kamal-proxy/.apps-config/app/tls/key.pem\"", output
+    end
+  end
+
   test "start" do
     SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("999") # old version
 

test/commands/app_test.rb

@@ -143,14 +143,18 @@ class CommandsAppTest < ActiveSupport::TestCase
       new_command.deploy(target: "172.1.0.2").join(" ")
   end
 
+  test "set certificate permissions" do
+    assert_equal \
+      "docker exec --user root kamal-proxy chown -R kamal-proxy:kamal-proxy /home/kamal-proxy/.apps-config/app/tls",
+      new_command.set_certificate_permissions.join(" ")
+  end
+
   test "remove" do
     assert_equal \
       "docker exec kamal-proxy kamal-proxy remove app-web",
       new_command.remove.join(" ")
   end
 
-
-
   test "logs" do
     assert_equal \
       "sh -c 'docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | xargs docker logs --timestamps 2>&1",

test/configuration/proxy/boot_test.rb

@@ -25,5 +25,7 @@ class ConfigurationProxyBootTest < ActiveSupport::TestCase
     assert_equal "/home/kamal-proxy/.apps-config/app", @proxy_boot_config.app_container_directory
     assert_equal ".kamal/proxy/apps-config/app/error_pages", @proxy_boot_config.error_pages_directory
     assert_equal "/home/kamal-proxy/.apps-config/app/error_pages", @proxy_boot_config.error_pages_container_directory
+    assert_equal ".kamal/proxy/apps-config/app/tls", @proxy_boot_config.tls_directory
+    assert_equal "/home/kamal-proxy/.apps-config/app/tls", @proxy_boot_config.tls_container_directory
   end
 end

test/configuration/proxy_test.rb

@@ -45,6 +45,43 @@ class ConfigurationProxyTest < ActiveSupport::TestCase
     end
   end
 
+  test "ssl with certificate and private key from secrets" do
+    with_test_secrets("secrets" => "CERT_PEM=certificate\nKEY_PEM=private_key") do
+      @deploy[:proxy] = {
+        "ssl" => true,
+        "host" => "example.com",
+        "certificate_pem" => "CERT_PEM",
+        "private_key_pem" => "KEY_PEM"
+      }
+
+      proxy = config.proxy
+      assert_equal "/home/kamal-proxy/.apps-config/app/tls/cert.pem", proxy.certificate_pem
+      assert_equal "/home/kamal-proxy/.apps-config/app/tls/key.pem", proxy.private_key_pem
+    end
+  end
+
+  test "ssl with certificate and no private key" do
+    with_test_secrets("secrets" => "CERT_PEM=certificate") do
+      @deploy[:proxy] = {
+        "ssl" => true,
+        "host" => "example.com",
+        "certificate_pem" => "CERT_PEM"
+      }
+      assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
+    end
+  end
+
+  test "ssl with private key and no certificate" do
+    with_test_secrets("secrets" => "KEY_PEM=private_key") do
+      @deploy[:proxy] = {
+        "ssl" => true,
+        "host" => "example.com",
+        "private_key_pem" => "KEY_PEM"
+      }
+      assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
+    end
+  end
+
   private
     def config
       Kamal::Configuration.new(@deploy)

test/configuration_test.rb

@@ -386,7 +386,7 @@ class ConfigurationTest < ActiveSupport::TestCase
       Kamal::Configuration.new(@deploy_with_roles)
     end
 
-    assert_equal "SSL is only supported on a single server, found 2 servers for role workers", exception.message
+    assert_equal "SSL is only supported on a single server unless you provide custom certificates, found 2 servers for role workers", exception.message
   end
 
   test "two proxy ssl roles with same host" do