Add env var JS_TRUSTED_CERT_PATH

The JS_TRUSTED_CERT_PATH setting will now allow you to
set the path for the js_fetch_trusted_certificate
directive as used when retrieving AWS credentials.

Signed-off-by: Elijah Zupancic <[email protected]>

Author: dekobon

Dockerfile.buildkit.plus

@@ -11,7 +11,8 @@ COPY plus/usr /usr
 # startup is the same.
 # Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY plus/docker-entrypoint.d /docker-entrypoint.d
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
+COPY plus/docker-entrypoint.d /docker-entrypoint.d/
 # Add NGINX Plus package repository keyring
 COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg
 

Dockerfile.oss

@@ -17,7 +17,7 @@ ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
 
 COPY common/etc /etc
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
 COPY oss/etc /etc
 
 RUN set -eux \

Dockerfile.plus

@@ -14,9 +14,9 @@ COPY plus/usr /usr
 
 # Copy files from the OSS NGINX Docker container such that the container
 # startup is the same.
-# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
-COPY plus/docker-entrypoint.d /docker-entrypoint.d
+COPY common/docker-entrypoint.d /docker-entrypoint.d/
+COPY plus/docker-entrypoint.d /docker-entrypoint.d/
 # Add NGINX Plus package repository keyring
 COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg
 

common/docker-entrypoint.d/00-check-for-required-env.sh

@@ -0,0 +1,22 @@
+#
+#  Copyright 2022 F5 Networks
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+set -e
+
+if [ -f /etc/nginx/conf.d/gateway/js_fetch_trusted_certificate.conf ] && [ -n "${JS_TRUSTED_CERT_PATH+x}" ]; then
+  echo "js_fetch_trusted_certificate ${JS_TRUSTED_CERT_PATH};" >> /etc/nginx/conf.d/gateway/js_fetch_trusted_certificate.conf
+  echo "Enabling js_fetch_trusted_certificate ${JS_TRUSTED_CERT_PATH}"
+fi

common/docker-entrypoint.d/22-enable_js_fetch_trusted_certificate.sh

@@ -77,9 +77,8 @@ server {
     location /aws/credentials/retrieve {
         internal;
         js_content s3gateway.fetchCredentials;
-        
-        # Enable the below line if you are seeing SSL Handshake error while connecing to s3 bucket
-        # js_fetch_trusted_certificate /etc/ssl/certs/Amazon_Root_CA_1.pem;
+
+        include /etc/nginx/conf.d/gateway/js_fetch_trusted_certificate.conf;
     }
 
     location @s3 {
@@ -172,7 +171,7 @@ server {
     }
 
     location @trailslashControl {
-        # Checks if requesting a folder without trailing slash, and return 302 
+        # Checks if requesting a folder without trailing slash, and return 302
         # appending a slash to it when using for static site hosting.
         js_content s3gateway.trailslashControl;
     }

common/etc/nginx/templates/default.conf.template

@@ -0,0 +1,3 @@
+# Enable js_fetch_trusted_certificate if you are seeing SSL Handshake error when connecing to S3
+# The following often works for connecting to AWS services:
+# js_fetch_trusted_certificate /etc/ssl/certs/Amazon_Root_CA_1.pem;

common/etc/nginx/templates/gateway/js_fetch_trusted_certificate.conf.template

@@ -36,6 +36,7 @@ running as a Container or as a Systemd service.
 * `PROXY_CACHE_VALID_OK` - Sets caching time for response code 200 and 302
 * `PROXY_CACHE_VALID_NOTFOUND` - Sets caching time for response code 404
 * `PROXY_CACHE_VALID_FORBIDDEN` - Sets caching time for response code 403
+* `JS_TRUSTED_CERT_PATH` - (optional) Enables the `js_fetch_trusted_certificate` directive when retrieving AWS credentials and sets the path (on the container) to the specified path 
 
 If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),
 you will need to omit the `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` variables from