feat: custom ca certificate script

[melinoix]

Added a custom ca certificate script in config/init-custom-ca-certificates.sh and enterprise/config/init-custom-ca-certificates.sh to explain the user how the mailer can work while having a local ca-certificate.

git book extract that is currently in review by @Mohamed-Hacene :

Add automatically your local CA-certificate
An issue you may encounter when setting up your mailer is that your local CA certificates might not be included inside your Docker container. This could cause problems when sending emails.
To address this, we provide a script located at config/init-custom-ca-certificates.sh and enterprise/config/init-custom-ca-certificates.sh.
You need to use this script with your Docker Compose setup by adding the following lines to the huey service:
This environment variable :

• CUSTOM_CA_CERT_PATH=/usr/local/share/ca-certificates/root_CA.crt
  This volumes (replace /your/ca-certificate/path/example_CA.crt by the pass and the name of your ca-certificate) :
• /your/ca-certificate/path/example_CA.crt:/usr/local/share/ca-certificates/root_CA.crt:ro
• ./config/init-custom-ca-certificates.sh:/docker-entrypoint-init.d/init-custom-ca-certificates.sh:ro
  This entrypoint :
  entrypoint:
  • /bin/sh
  • -c
  • |
    /docker-entrypoint-init.d/init-custom-ca-certificates.sh &&
    poetry run python manage.py run_huey -w 2 --scheduler-interval 60

Summary by CodeRabbit

• Chores
  • Added custom CA certificate support for container deployments. The system now automatically detects and installs custom CA certificates during startup when configured, enabling secure communication in environments requiring certificate authority validation.

[coderabbitai]

Walkthrough

Two identical shell scripts are introduced for container initialization that handle custom CA certificate setup. Each script enables strict mode, reads the CUSTOM_CA_CERT_PATH environment variable, logs certificate status, conditionally updates system certificates, and executes a provided command.

Changes

Cohort / File(s)	Summary
Container initialization scripts for custom CA certificates config/init-custom-ca-certificates.sh, enterprise/config/init-custom-ca-certificates.sh	New shell scripts that initialize custom CA certificates during container startup. Enable strict error handling, read CUSTOM_CA_CERT_PATH environment variable, conditionally execute update-ca-certificates if certificate file exists, and pass through provided command execution.

Sequence Diagram

sequenceDiagram
    participant Container as Container Startup
    participant Script as init-custom-ca-certificates.sh
    participant System as System CA Store
    participant Command as Provided Command

    Container->>Script: Execute with environment & args
    Script->>Script: Enable strict mode (set -e)
    Script->>Script: Read CUSTOM_CA_CERT_PATH → CERT_PATH
    Script->>Script: Log: "Initializing custom CA certificates..."
    
    alt CERT_PATH is set and file exists
        Script->>System: Call update-ca-certificates
        System-->>Script: Certificate updated
        Script->>Script: Log: Certificate path
    else Certificate not found or path empty
        Script->>Script: Log: "No custom CA certificate found"
    end
    
    Script->>Command: exec "$@"
    Command-->>Container: Execute user command

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Both scripts are nearly identical with straightforward conditional logic
• Simple environment variable handling and standard shell commands
• Minimal branching logic (basic if/else on file existence)
• No complex state management or error scenarios beyond standard shell practices

Poem

🐰 A rabbit hops through containers with care,
Certificates packaged beyond compare,
Custom CA paths in the startup flow,
Update-ca runs where they need to go,
Commands execute, the system stands tall,
Security certificates covering all! 🏰

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: introducing a custom CA certificate initialization script.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch custom-ca-certificate

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

enterprise/config/init-custom-ca-certificates.sh (1)

7-9: Verify expected behavior when update-ca-certificates fails.

(See same concern raised in config/init-custom-ca-certificates.sh – applies equally here.)

If update-ca-certificates fails (line 9), the set -e on line 1 will exit the script, preventing the service from starting (line 14 never executes). Confirm whether this is the intended behavior.

🧹 Nitpick comments (1)

enterprise/config/init-custom-ca-certificates.sh (1)

1-14: Consolidate duplicate scripts to reduce maintenance burden.

This script is identical to config/init-custom-ca-certificates.sh. Maintaining two copies violates the DRY principle and creates a burden for future changes.

Consider one of these approaches:

1. Use a symlink (if both paths need to reference the same file):

   ln -s ../config/init-custom-ca-certificates.sh enterprise/config/init-custom-ca-certificates.sh

2. Move to shared location and update Docker Compose configurations to reference a single canonical copy.

3. Use Docker COPY with context to include only one script copy in images.

If the enterprise and community versions must genuinely differ in the future, document this intentionally and add comments explaining why they diverge.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between df8a657 and 145afcb.

📒 Files selected for processing (2)

• config/init-custom-ca-certificates.sh (1 hunks)
• enterprise/config/init-custom-ca-certificates.sh (1 hunks)

🔇 Additional comments (3)

config/init-custom-ca-certificates.sh (3)

1-3: Proper initialization and error handling setup.

Strict mode and environment variable handling are appropriate for this initialization script.

---

7-9: Verify expected behavior when update-ca-certificates fails.

The conditional logic is sound, but if update-ca-certificates fails (line 9), the set -e on line 1 will exit the script, preventing the service from starting (line 14 never executes). Confirm whether this is the intended behavior—should certificate update failure halt the container startup, or should the service proceed despite the failure?

---

14-14: Proper shell replacement with exec.

Using exec "$@" correctly replaces the shell process with the provided command, enabling proper signal handling and process inheritance.