feat: support custom CA certificates for all containers#4216
feat: support custom CA certificates for all containers#4216
Conversation
Changelog Preview📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Internal Changes 🔧Deps
🤖 This preview updates automatically when you update the PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
docker-compose.yml
Outdated
| <<: [*restart_policy, *pull_policy] | ||
| image: "symbolicator-self-hosted-local" | ||
| build: | ||
| context: ./local-image |
There was a problem hiding this comment.
Wrong build context breaks certificate COPY for five services
High Severity
The Dockerfile's COPY ./certificates/*.crt is relative to the build context. Snuba correctly uses context: . (repo root) with dockerfile: ./local-image/Dockerfile, so it finds ./certificates/. However, symbolicator, relay, taskbroker, vroom, and uptime-checker all use context: ./local-image, causing Docker to look for ./local-image/certificates/ — a directory that doesn't exist. These five builds will fail (or silently produce images without the custom CA certs).
Additional Locations (2)
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
docker-compose.yml
Outdated
| <<: [*restart_policy, *pull_policy] | ||
| image: "symbolicator-self-hosted-local" | ||
| build: | ||
| context: ./local-image |
There was a problem hiding this comment.
Bug: The COPY ./certificates/* command will cause Docker builds to fail because the certificates directory is empty by default and has an incorrect build context for several services.
Severity: CRITICAL
Suggested Fix
Modify the local-image/Dockerfile to handle cases where the certificates directory is empty. Instead of using COPY ./certificates/*, which fails on no matches, consider copying the directory itself and then handling the contents within the container's entrypoint script. For example, use COPY certificates/ /usr/local/share/ca-certificates/ and then in the entrypoint, check if the directory contains .crt files before running update-ca-certificates. Additionally, correct the build context for the affected services in docker-compose.yml to be ..
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: docker-compose.yml#L481
Potential issue: The Docker build process will fail for multiple services due to the
`COPY ./certificates/*` instruction in `local-image/Dockerfile`. This failure is caused
by two issues. First, the `COPY` command with a glob pattern (`*`) fails when the source
directory (`./certificates/`) is empty, which is the default state for users who have
not added custom certificates. Second, several services (`symbolicator`, `relay`,
`taskbroker`, `vroom`, `uptime-checker`) are configured in `docker-compose.yml` with a
build `context` of `./local-image`. This prevents them from accessing the `certificates`
directory at the repository root, causing the build to fail. As a result, the system
will fail to start in the default configuration.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
local-image/Dockerfile
Outdated
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| # Put your custom certs here as *.crt (PEM). You can keep your repo folder name. | ||
| COPY ./certificates/* /usr/local/share/ca-certificates/ |
There was a problem hiding this comment.
COPY glob fails when no custom certificates exist
High Severity
COPY ./certificates/* /usr/local/share/ca-certificates/ will fail when no custom CA certificates have been added. The certificates/ directory only contains .gitignore by default, and .dockerignore excludes that file from the build context. This leaves the glob matching zero files, causing Docker to error out. Since all services now build through this Dockerfile, a fresh default installation without custom CAs will fail at the build step. The existing cron/entrypoint.sh handles this correctly by checking if files exist first.
Additional Locations (1)
|
@sentry review |
1 participant
Closes #4193
Summary
This PR adds support for custom CA certificates for non-Sentry services without rebuilding images.
Instead of baking certs into locally rebuilt images, we now generate trust-store overlays on the host (from
./certificates/*.crt) and instruct users to mount those generated/etc/ssl/certspaths viadocker-compose.override.yml.What Changed
SETUP_CUSTOM_CA_CERTIFICATE=1install/setup-custom-ca-certificate.shopensslavailability./certificates/*.crtrelay,symbolicator,snuba,vroom,taskbroker,uptime-checker):/etc/ssl/certsfrom the imageopenssl rehashdocker-compose.override.ymlsnippetDEBUG=1)install.sh.env.gitignore(certificates/.generated/)_unit-test/setup-custom-ca-certificate-test.shpull_policy: nevercould skip compose pulls:_unit-test/bootstrap-s3-profiles-test.shinstall/ensure-relay-credentials.shBehavior / UX
SETUP_CUSTOM_CA_CERTIFICATE=1is set.*.crtfiles are present, the script logs and returns cleanly.openssl, it fails early with actionable output.Files in Scope
.env.gitignore_unit-test/bootstrap-s3-profiles-test.sh_unit-test/setup-custom-ca-certificate-test.shdocker-compose.ymlinstall.shinstall/ensure-relay-credentials.shinstall/setup-custom-ca-certificate.shinstall/update-docker-images.sh.dockerignoreValidation