Added support for custom SSL certificate

[kpumuk]

Following the change in kamal-proxy, this MR introduces a configuration option to load custom SSL certificate and the corresponding private key from disk:

proxy:
  ssl: true
  ssl_certificate_path: /data/cert/foo.example.com/fullchain.pem
  ssl_private_key_path: /data/cert/foo.example.com/privkey.pem

Documentation preview:

[yogeshjain999]

I'm a newbie to kamal (and docker) and was wondering what's the recommended way to get those custom PEM files on server.

Copy using kamal+Dockerfile or do it manually ? Maybe better alternative would be to load the values via ENV variables (given kamal-proxy could support it) ?

[kpumuk]

I'm a newbie to kamal (and docker) and was wondering what's the recommended way to get those custom PEM files on server.

The easiest way would be to use pre-proxy-reboot. For example, if you use 1Password to manage secrets:

1. Put both cert.pem and key.pem under the item you use for secrets
2. Create .kamal/hooks/pre-proxy-reboot:

   #!/bin/sh
   
   set -euo pipefail
   
   KAMAL_PROXY_TLS_CERT=$(op read "op://Private/Kamal Demo/cert.pem")
   KAMAL_PROXY_TLS_PRIVATE_KEY=$(op read "op://Private/Kamal Demo/key.pem")
   
   for ip in ${KAMAL_HOSTS//,/ }; do
     ssh -q -T -o BatchMode=yes ubuntu@"${ip}" bash --noprofile <<-EOF
       mkdir -p .kamal/apps/${KAMAL_SERVICE}/tls
       echo '${KAMAL_PROXY_TLS_CERT}' > .kamal/apps/${KAMAL_SERVICE}/tls/cert.pem
       echo "${KAMAL_PROXY_TLS_PRIVATE_KEY}" > .kamal/apps/${KAMAL_SERVICE}/tls/key.pem
   EOF
   done

3. Edit config/deploy.yml to mount TLS certificates to Kamal's image and then enable them:

   proxy:
     ssl: true
     host: app.example.com
     ssl_certificate_path: /home/kamal-proxy/.config/certs/cert.pem
     ssl_private_key_path: /home/kamal-proxy/.config/certs/key.pem
     volumes:
       - "/home/ubuntu/.kamal/apps/demo/certs:/home/kamal-proxy/.config/certs"

4. Run kamal proxy reboot to deploy

Copy using kamal+Dockerfile or do it manually ? Maybe better alternative would be to load the values via ENV variables (given kamal-proxy could support it) ?

kamal-proxy does not support environment variables.

TODO: Add volumes support to proxy.

[yogeshjain999]

Cool, setting it up via pre-proxy-reboot sounds good approach. Thanks!!

[kpumuk]

@djmb to follow up on the thread in kamal-proxy, here is the documentation update + support for the recent custom TLS cert changes.

[agu-z]

Is it possible to specify a client certificate too? I need this in order to enable CloudFlare's Authenticated Origin Pulls

[mtmckenna]

With this change, would it be possible to remove the ensure_one_host_for_ssl requirement when providing a cert and key?

Context: I'm looking for a way to have end-to-end in-transit encryption in a regulated environment that requires TLS between the load balancer and server node. I'd also like to be able to use multiple app servers.

By providing my own cert to kamal-proxy, I was thinking I should be able to have the load balancer terminate SSL and then re-encrypt the traffic to kamal-proxy, which would use my supplied cert. wdyt?

Thank you!

[kpumuk]

By providing my own cert to kamal-proxy, I was thinking I should be able to have the load balancer terminate SSL and then re-encrypt the traffic to kamal-proxy, which would use my supplied cert. wdyt?

Yep, that's exactly how it would work with custom certificates, and it removes the limitation of one host behind the load balancer.

[mtmckenna]

Yep, that's exactly how it would work with custom certificates, and it removes the limitation of one host behind the load balancer.

That's great! Would ensure_one_host_for_ssl be updated in a separate PR?

kamal/lib/kamal/configuration/role.rb

Line 152 in 6073681

def ensure_one_host_for_ssl

Thank you!

[kpumuk]

That's great! Would ensure_one_host_for_ssl be updated in a separate PR?

Great catch, I missed this change in the upstream :-) Added a commit to this MR

[qinmingyuan]

I have used with wildcard domain and multi hosts, Works fine. Please merge this PR.