Support for enabling SSL on ghost database with or without SSL CA file (#121)

Signed-off-by: Mario Faundez <mariofaundez@hotmail.com>
2022-02-14 06:52:04 -03:00 · 2022-02-14 06:52:04 -03:00 · 9710e00278
parent a4802c1a0e
commit 9710e00278
3 changed files with 43 additions and 18 deletions
--- a/bitnami/ghost/4/debian-10/rootfs/opt/bitnami/scripts/ghost-env.sh
+++ b/bitnami/ghost/4/debian-10/rootfs/opt/bitnami/scripts/ghost-env.sh
@ -42,6 +42,8 @@ ghost_env_vars=(
    GHOST_DATABASE_NAME
    GHOST_DATABASE_USER
    GHOST_DATABASE_PASSWORD
+    GHOST_DATABASE_ENABLE_SSL
+    GHOST_DATABASE_SSL_CA_FILE
    BLOG_TITLE
    SMTP_HOST
    SMTP_PORT
@ -125,5 +127,7 @@ GHOST_DATABASE_USER="${GHOST_DATABASE_USER:-"${MARIADB_DATABASE_USER:-}"}"
 export GHOST_DATABASE_USER="${GHOST_DATABASE_USER:-bn_ghost}" # only used during the first initialization
 GHOST_DATABASE_PASSWORD="${GHOST_DATABASE_PASSWORD:-"${MARIADB_DATABASE_PASSWORD:-}"}"
 export GHOST_DATABASE_PASSWORD="${GHOST_DATABASE_PASSWORD:-}" # only used during the first initialization
+export GHOST_DATABASE_ENABLE_SSL="${GHOST_DATABASE_ENABLE_SSL:-no}" # only used during the first initialization
+export GHOST_DATABASE_SSL_CA_FILE="${GHOST_DATABASE_SSL_CA_FILE:-}" # only used during the first initialization

 # Custom environment variables may be defined below
--- a/bitnami/ghost/4/debian-10/rootfs/opt/bitnami/scripts/libghost.sh
+++ b/bitnami/ghost/4/debian-10/rootfs/opt/bitnami/scripts/libghost.sh
@ -147,6 +147,9 @@ ghost_validate() {
    ! is_empty_value "$GHOST_DATABASE_HOST" && check_resolved_hostname "$GHOST_DATABASE_HOST"
    ! is_empty_value "$GHOST_DATABASE_PORT_NUMBER" && check_valid_port "GHOST_DATABASE_PORT_NUMBER"

+    # Validate SSL configuration
+    ! is_empty_value "$GHOST_DATABASE_ENABLE_SSL" && check_yes_no_value "GHOST_DATABASE_ENABLE_SSL"
+
    # Validate credentials
    check_empty_value "GHOST_PASSWORD"
    # ref: https://github.com/TryGhost/Ghost/issues/9150
@ -179,7 +182,7 @@ ghost_validate() {
 # Arguments:
 #   $1 - Variable name
 #   $2 - Value to assign to the variable
-#   $3 - YAML type (string, int or bool)
+#   $3 - YAML type (string, int, bool or json)
 # Returns:
 #   None
 #########################
@ -191,13 +194,16 @@ ghost_conf_set() {

    case "$type" in
    string)
-        jq "(.${key}) |= \"${value}\"" "$GHOST_CONF_FILE" >"$tempfile"
+        jq "(.${key}) |= \"${value}\"" "$GHOST_CONF_FILE" > "$tempfile"
        ;;
    int)
-        jq "(.${key}) |= (${value} | tonumber)" "$GHOST_CONF_FILE" >"$tempfile"
+        jq "(.${key}) |= (${value} | tonumber)" "$GHOST_CONF_FILE" > "$tempfile"
        ;;
    bool)
-        jq "(.${key}) |= (\"${value}\" | test(\"true\"))" "$GHOST_CONF_FILE" >"$tempfile"
+        jq "(.${key}) |= (\"${value}\" | test(\"true\"))" "$GHOST_CONF_FILE" > "$tempfile"
+        ;;
+    json)
+        jq "(.${key}) |= ${value}" "$GHOST_CONF_FILE" > "$tempfile"
        ;;
    *)
        error "Type unknown: ${type}"
@ -246,20 +252,33 @@ ghost_initialize() {
        ghost_wait_for_mysql_connection "$GHOST_DATABASE_HOST" "$GHOST_DATABASE_PORT_NUMBER" "$GHOST_DATABASE_NAME" "$GHOST_DATABASE_USER" "$GHOST_DATABASE_PASSWORD"
        # Configure database
        info "Configuring database"
-        jq '.' >"$GHOST_CONF_FILE" <<EOF
-{
-  "database": {
-    "client": "mysql",
-    "connection": {
-      "host": "${GHOST_DATABASE_HOST}",
-      "port": ${GHOST_DATABASE_PORT_NUMBER},
-      "database": "${GHOST_DATABASE_NAME}",
-      "user": "${GHOST_DATABASE_USER}",
-      "password": "${GHOST_DATABASE_PASSWORD}"
-    }
-  }
-}
-EOF
+        jq -n -r \
+            --arg host "$GHOST_DATABASE_HOST" \
+            --arg port "$GHOST_DATABASE_PORT_NUMBER" \
+            --arg database "$GHOST_DATABASE_NAME" \
+            --arg user "$GHOST_DATABASE_USER" \
+            --arg password "$GHOST_DATABASE_PASSWORD" \
+            '{
+              "database": {
+                "client": "mysql",
+                "connection": {
+                  host: $host,
+                  port: $port|tonumber,
+                  database: $database,
+                  user: $user,
+                  password: $password,
+                  ssl: false
+                }
+              }
+            }' > "$GHOST_CONF_FILE"
+
+        if ! is_empty_value "$GHOST_DATABASE_SSL_CA_FILE"; then
+            ca_json="{\"ca\": \"$(cat "${GHOST_DATABASE_SSL_CA_FILE}")\"}"
+            ghost_conf_set "database.connection.ssl" "$ca_json" "json"
+        elif is_boolean_yes "$GHOST_DATABASE_ENABLE_SSL"; then
+            ghost_conf_set "database.connection.ssl" true "bool"
+        fi
+
        am_i_root && chown "${GHOST_DAEMON_USER}:root" "$GHOST_CONF_FILE"
        if ! is_boolean_yes "$GHOST_SKIP_BOOTSTRAP"; then
            # Setup Ghost
--- a/bitnami/ghost/README.md
+++ b/bitnami/ghost/README.md
@ -241,6 +241,8 @@ Available environment variables:
 - `GHOST_DATABASE_NAME`: Database name that Ghost will use to connect with the database. Default: **bitnami_ghost**
 - `GHOST_DATABASE_USER`: Database user that Ghost will use to connect with the database. Default: **bn_ghost**
 - `GHOST_DATABASE_PASSWORD`: Database password that Ghost will use to connect with the database. No default.
+- `GHOST_DATABASE_ENABLE_SSL`: It can be used to enable database SSL configuration. Default: **no**
+- `GHOST_DATABASE_SSL_CA_FILE`: Path to the database SSL CA file. No default.
 - `ALLOW_EMPTY_PASSWORD`: It can be used to allow blank passwords. Default: **no**

 ##### Create a database for Ghost using mysql-client