MCP-70 Let users pass certificates to the docker container

Author: nquinquenel

Dockerfile

@@ -29,18 +29,22 @@ ENV PATH="${JAVA_HOME}/bin:${PATH}"
 
 COPY --from=builder /optimized-jdk-21 $JAVA_HOME
 
-RUN apk add --no-cache nodejs=~22 npm
-
-WORKDIR /app
-
-RUN addgroup -S appgroup && adduser -S appuser -G appgroup && \
-    mkdir -p /home/appuser/.sonarlint ./storage && \
-    chown -R appuser:appgroup /home/appuser ./storage
+RUN apk add --no-cache \
+        ca-certificates \
+        nodejs=~22 \
+        npm \
+        sudo && \
+        addgroup -S appgroup && adduser -S appuser -G appgroup && \
+        mkdir -p /home/appuser/.sonarlint ./storage && \
+        chown -R appuser:appgroup /home/appuser ./storage && \
+        echo "appuser ALL=(ALL) NOPASSWD: /usr/sbin/update-ca-certificates" > /etc/sudoers.d/appuser && \
+        chmod 0440 /etc/sudoers.d/appuser
 
 COPY --from=builder --chown=appuser:appgroup --chmod=755 /app/sonarqube-mcp-server.jar /app/sonarqube-mcp-server.jar
+COPY --chown=appuser:appgroup --chmod=755 scripts/install-certificates.sh /usr/local/bin/install-certificates
 
 USER appuser
-
+WORKDIR /app
 ENV STORAGE_PATH=./storage
 
-ENTRYPOINT ["java", "-jar", "/app/sonarqube-mcp-server.jar"]
+ENTRYPOINT ["/bin/sh", "-c", "/usr/local/bin/install-certificates && exec java -jar /app/sonarqube-mcp-server.jar"]

README.md

@@ -169,6 +169,55 @@ To enable full functionality, the following environment variables must be set be
 | `SONARQUBE_TOKEN`     | Your SonarQube Server **USER** [token](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/#generating-a-token) |
 | `SONARQUBE_URL`       | Your SonarQube Server URL                                                                                                                   |
 
+### Custom Certificates
+
+If your SonarQube Server uses a self-signed certificate or a certificate from a private Certificate Authority (CA), you can add custom certificates to the Docker container that will automatically be installed.
+
+#### Using Docker Volume Mount
+
+Mount a directory containing your certificates when running the container:
+
+```bash
+docker run -i --rm \
+  -v /path/to/your/certificates/:/usr/local/share/ca-certificates/:ro \
+  -e SONARQUBE_TOKEN="<token>" \
+  -e SONARQUBE_URL="<url>" \
+  mcp/sonarqube
+```
+
+#### Supported Certificate Formats
+
+The container supports the following certificate formats:
+- `.crt` files (PEM or DER encoded)
+- `.pem` files (PEM encoded)
+
+#### MCP Configuration with Certificates
+
+When using custom certificates, you can modify your MCP configuration to mount the certificates:
+
+```JSON
+{
+  "sonarqube": {
+    "command": "docker",
+    "args": [
+      "run",
+      "-i",
+      "--rm",
+      "-v",
+      "/path/to/your/certificates/:/usr/local/share/ca-certificates/:ro",
+      "-e",
+      "SONARQUBE_TOKEN",
+      "-e",
+      "SONARQUBE_URL",
+      "mcp/sonarqube"
+    ],
+    "env": {
+      "SONARQUBE_TOKEN": "<token>",
+      "SONARQUBE_URL": "<url>"
+    }
+  }
+}
+```
 
 ## Tools
 

scripts/install-certificates.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Certificate installation script for SonarQube MCP Server
+
+CERT_DIR="/usr/local/share/ca-certificates/"
+
+if [ "$(ls -A "$CERT_DIR")" ]; then
+    echo "Installing custom certificates from $CERT_DIR..."
+
+    # Run as root via sudo
+    sudo /usr/sbin/update-ca-certificates
+
+    echo "Custom certificates installed successfully"
+fi