Merge pull request #1531 from acidtib/feat/custom-ssl

feat: Add support for custom certificates
2025-06-17 09:25:15 +01:00
parent 89c56910c9 99f763d742
commit 8a7260d1e9
16 changed files with 196 additions and 14 deletions
--- a/lib/kamal/cli/app.rb
+++ b/lib/kamal/cli/app.rb
@@ -12,6 +12,7 @@ class Kamal::Cli::App < Kamal::Cli::Base

          KAMAL.roles_on(host).each do |role|
            Kamal::Cli::App::Assets.new(host, role, self).run
+            Kamal::Cli::App::SslCertificates.new(host, role, self).run
          end
        end

--- a/lib/kamal/cli/app/ssl_certificates.rb
+++ b/lib/kamal/cli/app/ssl_certificates.rb
@@ -0,0 +1,28 @@
+class Kamal::Cli::App::SslCertificates
+  attr_reader :host, :role, :sshkit
+  delegate :execute, :info, to: :sshkit
+
+  def initialize(host, role, sshkit)
+    @host = host
+    @role = role
+    @sshkit = sshkit
+  end
+
+  def run
+    if role.running_proxy? && role.proxy.custom_ssl_certificate?
+      info "Writing SSL certificates for #{role.name} on #{host}"
+      execute *app.create_ssl_directory
+      if cert_content = role.proxy.certificate_pem_content
+        execute *app.write_certificate_file(cert_content)
+      end
+      if key_content = role.proxy.private_key_pem_content
+        execute *app.write_private_key_file(key_content)
+      end
+    end
+  end
+
+  private
+    def app
+      @app ||= KAMAL.app(role: role, host: host)
+    end
+end
--- a/lib/kamal/commands/app/proxy.rb
+++ b/lib/kamal/commands/app/proxy.rb
@@ -21,6 +21,18 @@ module Kamal::Commands::App::Proxy
    remove_directory config.proxy_boot.app_directory
  end

+  def create_ssl_directory
+    make_directory(config.proxy_boot.tls_directory)
+  end
+
+  def write_certificate_file(content)
+    [ :sh, "-c", Kamal::Utils.sensitive("cat > #{config.proxy_boot.tls_directory}/cert.pem << 'KAMAL_CERT_EOF'\n#{content}\nKAMAL_CERT_EOF", redaction: "cat > #{config.proxy_boot.tls_directory}/cert.pem << 'KAMAL_CERT_EOF'\n[CERTIFICATE CONTENT REDACTED]\nKAMAL_CERT_EOF") ]
+  end
+
+  def write_private_key_file(content)
+    [ :sh, "-c", Kamal::Utils.sensitive("cat > #{config.proxy_boot.tls_directory}/key.pem << 'KAMAL_KEY_EOF'\n#{content}\nKAMAL_KEY_EOF", redaction: "cat > #{config.proxy_boot.tls_directory}/key.pem << 'KAMAL_KEY_EOF'\n[PRIVATE KEY CONTENT REDACTED]\nKAMAL_KEY_EOF") ]
+  end
+
  private
    def proxy_exec(*command)
      docker :exec, proxy_container_name, "kamal-proxy", *command
--- a/lib/kamal/configuration.rb
+++ b/lib/kamal/configuration.rb
@@ -63,7 +63,7 @@ class Kamal::Configuration
    @env = Env.new(config: @raw_config.env || {}, secrets: secrets)

    @logging = Logging.new(logging_config: @raw_config.logging)
-    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy)
+    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy, secrets: secrets)
    @proxy_boot = Proxy::Boot.new(config: self)
    @ssh = Ssh.new(config: self)
    @sshkit = Sshkit.new(config: self)
--- a/lib/kamal/configuration/accessory.rb
+++ b/lib/kamal/configuration/accessory.rb
@@ -125,7 +125,8 @@ class Kamal::Configuration::Accessory
      Kamal::Configuration::Proxy.new \
        config: config,
        proxy_config: accessory_config["proxy"],
-        context: "accessories/#{name}/proxy"
+        context: "accessories/#{name}/proxy",
+        secrets: config.secrets
    end

    def initialize_registry
--- a/lib/kamal/configuration/docs/proxy.yml
+++ b/lib/kamal/configuration/docs/proxy.yml
@@ -11,7 +11,6 @@
 # run on the same proxy.
 #
 proxy:
-
  # Hosts
  #
  # The hosts that will be used to serve the app. The proxy will only route requests
@@ -45,7 +44,21 @@ proxy:
  # unless you explicitly set `forward_headers: true`
  #
  # Defaults to `false`:
-  ssl: true
+  ssl: ...
+
+  # Custom SSL certificate
+  #
+  # In some cases, using Let's Encrypt for automatic certificate management is not an 
+  # option, or you may already have SSL certificates issued by a different 
+  # Certificate Authority (CA). Kamal supports loading custom SSL certificates 
+  # directly from secrets.
+  #
+  # Examples:
+  #   ssl: true              # Enable SSL with Let's Encrypt
+  #   ssl: false             # Disable SSL
+  #   ssl:                   # Enable custom SSL
+  #     certificate_pem: CERTIFICATE_PEM
+  #     private_key_pem: PRIVATE_KEY_PEM

  # SSL redirect
  #
--- a/lib/kamal/configuration/proxy.rb
+++ b/lib/kamal/configuration/proxy.rb
@@ -6,12 +6,13 @@ class Kamal::Configuration::Proxy

  delegate :argumentize, :optionize, to: Kamal::Utils

-  attr_reader :config, :proxy_config
+  attr_reader :config, :proxy_config, :secrets

-  def initialize(config:, proxy_config:, context: "proxy")
+  def initialize(config:, proxy_config:, secrets:, context: "proxy")
    @config = config
    @proxy_config = proxy_config
    @proxy_config = {} if @proxy_config.nil?
+    @secrets = secrets
    validate! @proxy_config, with: Kamal::Configuration::Validator::Proxy, context: context
  end

@@ -27,10 +28,42 @@ class Kamal::Configuration::Proxy
    proxy_config["hosts"] || proxy_config["host"]&.split(",") || []
  end

+  def custom_ssl_certificate?
+    ssl = proxy_config["ssl"]
+    return false unless ssl.is_a?(Hash)
+    ssl["certificate_pem"].present? && ssl["private_key_pem"].present?
+  end
+
+  def certificate_pem_content
+    ssl = proxy_config["ssl"]
+    return nil unless ssl.is_a?(Hash)
+    secrets[ssl["certificate_pem"]]
+  end
+
+  def private_key_pem_content
+    ssl = proxy_config["ssl"]
+    return nil unless ssl.is_a?(Hash)
+    secrets[ssl["private_key_pem"]]
+  end
+
+  def certificate_pem
+    tls_file_path("cert.pem")
+  end
+
+  def private_key_pem
+    tls_file_path("key.pem")
+  end
+
+  def tls_file_path(filename)
+    File.join(config.proxy_boot.tls_container_directory, filename) if custom_ssl_certificate?
+  end
+
  def deploy_options
    {
      host: hosts,
-      tls: proxy_config["ssl"].presence,
+      tls: ssl? ? true : nil,
+      "tls-certificate-path": certificate_pem,
+      "tls-private-key-path": private_key_pem,
      "deploy-timeout": seconds_duration(config.deploy_timeout),
      "drain-timeout": seconds_duration(config.drain_timeout),
      "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),
@@ -68,7 +101,7 @@ class Kamal::Configuration::Proxy
  end

  def merge(other)
-    self.class.new config: config, proxy_config: proxy_config.deep_merge(other.proxy_config)
+    self.class.new config: config, proxy_config: proxy_config.deep_merge(other.proxy_config), secrets: secrets
  end

  private
--- a/lib/kamal/configuration/proxy/boot.rb
+++ b/lib/kamal/configuration/proxy/boot.rb
@@ -100,6 +100,14 @@ class Kamal::Configuration::Proxy::Boot
    File.join app_container_directory, "error_pages"
  end

+  def tls_directory
+    File.join app_directory, "tls"
+  end
+
+  def tls_container_directory
+    File.join app_container_directory, "tls"
+  end
+
  private
    def ensure_valid_bind_ips(bind_ips)
      bind_ips.present? && bind_ips.each do |ip|
--- a/lib/kamal/configuration/role.rb
+++ b/lib/kamal/configuration/role.rb
@@ -150,8 +150,8 @@ class Kamal::Configuration::Role
  end

  def ensure_one_host_for_ssl
-    if running_proxy? && proxy.ssl? && hosts.size > 1
-      raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}"
+    if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_ssl_certificate?
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server unless you provide custom certificates, found #{hosts.size} servers for role #{name}"
    end
  end

@@ -173,6 +173,7 @@ class Kamal::Configuration::Role
        @specialized_proxy = Kamal::Configuration::Proxy.new \
          config: config,
          proxy_config: proxy_config,
+          secrets: config.secrets,
          context: "servers/#{name}/proxy"
      end
    end
--- a/lib/kamal/configuration/validator.rb
+++ b/lib/kamal/configuration/validator.rb
@@ -24,7 +24,9 @@ class Kamal::Configuration::Validator
            example_value = example[key]

            if example_value == "..."
-              unless key.to_s == "proxy" && boolean?(value.class)
+              if key.to_s == "ssl"
+                validate_type! value, TrueClass, FalseClass, Hash
+              elsif key.to_s != "proxy" || !boolean?(value.class)
                validate_type! value, *(Array if key == :servers), Hash
              end
            elsif key == "hosts"
--- a/lib/kamal/configuration/validator/proxy.rb
+++ b/lib/kamal/configuration/validator/proxy.rb
@@ -10,6 +10,16 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
      if (config.keys & [ "host", "hosts" ]).size > 1
        error "Specify one of 'host' or 'hosts', not both"
      end
+
+      if config["ssl"].is_a?(Hash)
+        if config["ssl"]["certificate_pem"].present? && config["ssl"]["private_key_pem"].blank?
+          error "Missing private_key_pem setting (required when certificate_pem is present)"
+        end
+
+        if config["ssl"]["private_key_pem"].present? && config["ssl"]["certificate_pem"].blank?
+          error "Missing certificate_pem setting (required when private_key_pem is present)"
+        end
+      end
    end
  end
 end