From 50e255c8fccf8c9da7940133f2b0f26bc28b66f1 Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 16 Jan 2025 12:08:25 +0100
Subject: [PATCH 1/2] Add possibility to manage certificate_allowlist

fixes #88

Signed-off-by: Martin Alfke <ma@betadots.de>
---
 README.md                                             |  1 +
 puppetdb/Dockerfile                                   |  1 +
 puppetdb/conf.d/puppetdb.conf                         |  1 +
 .../docker-entrypoint.d/30-certificate-allowlist.sh   | 11 +++++++++++
 4 files changed, 14 insertions(+)
 create mode 100755 puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh

diff --git a/README.md b/README.md
index 7c7fa453f..d11c06b40 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
 | **PUPPETDB_NODE_PURGE_TTL**             | Automatically delete nodes that have been deactivated or expired for the specified amount of time<br><br>`14d`                          |
 | **PUPPETDB_REPORT_TTL**                 | Automatically delete reports that are older than the specified amount of time<br><br>`14d`                                              |
 | **PUPPETDB_JAVA_ARGS**                  | Arguments passed directly to the JVM when starting the service<br><br>`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` |
+| **PUPPETDB_CERTIFICATE_ALLOWLIST**      | Comma separated list of certnames. No whitespaces!<br><br>exampe: `certname1,certname2,certname3`, default: empty string                |
 | **LOGDIR**                              | Path of the log directory<br><br>`/opt/puppetlabs/server/data/puppetdb/logs`                                                            |
 | **SSLDIR**                              | Path of the SSL directory<br><br>`/opt/puppetlabs/server/data/puppetdb/certs`                                                           |
 
diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile
index 7314651fd..49e8711c9 100644
--- a/puppetdb/Dockerfile
+++ b/puppetdb/Dockerfile
@@ -42,6 +42,7 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
     PUPPETDB_NODE_TTL=7d \
     PUPPETDB_NODE_PURGE_TTL=14d \
     PUPPETDB_REPORT_TTL=14d \
+    PUPPETDB_CERTIFICATE_ALLOWLIST="" \
     # used by entrypoint to determine if puppetserver should be contacted for config
     # set to false when container tests are run
     USE_PUPPETSERVER=true \
diff --git a/puppetdb/conf.d/puppetdb.conf b/puppetdb/conf.d/puppetdb.conf
index f8de29039..d599e9cca 100644
--- a/puppetdb/conf.d/puppetdb.conf
+++ b/puppetdb/conf.d/puppetdb.conf
@@ -1,3 +1,4 @@
 puppetdb: {
   disable-update-checking: 'true'
+  certificate-allowlist: '/etc/puppetlabs/puppetdb/conf.d/certificate-allowlist'
 }
diff --git a/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh b/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh
new file mode 100755
index 000000000..6d9a57100
--- /dev/null
+++ b/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ "$PUPPETDB_CERTIFICATE_ALLOWLIST" != "" ]; then
+  IFS=','
+  for cert in $PUPPETDB_CERTIFICATE_ALLOWLIST; do
+    echo $cert >> /etc/puppetlabs/puppetdb/conf.d/certificate_allowlist
+  done
+else
+  touch /etc/puppetlabs/puppetdb/conf.d/certificate_allowlist
+fi
+

From da1271bb2b0b133d802dd31cac39608479f744a5 Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 16 Jan 2025 16:57:36 +0100
Subject: [PATCH 2/2] fix typo in README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d11c06b40..867e7e34e 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
 | **PUPPETDB_NODE_PURGE_TTL**             | Automatically delete nodes that have been deactivated or expired for the specified amount of time<br><br>`14d`                          |
 | **PUPPETDB_REPORT_TTL**                 | Automatically delete reports that are older than the specified amount of time<br><br>`14d`                                              |
 | **PUPPETDB_JAVA_ARGS**                  | Arguments passed directly to the JVM when starting the service<br><br>`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` |
-| **PUPPETDB_CERTIFICATE_ALLOWLIST**      | Comma separated list of certnames. No whitespaces!<br><br>exampe: `certname1,certname2,certname3`, default: empty string                |
+| **PUPPETDB_CERTIFICATE_ALLOWLIST**      | Comma separated list of certnames. No whitespaces!<br><br>example: `certname1,certname2,certname3`, default: empty string                |
 | **LOGDIR**                              | Path of the log directory<br><br>`/opt/puppetlabs/server/data/puppetdb/logs`                                                            |
 | **SSLDIR**                              | Path of the SSL directory<br><br>`/opt/puppetlabs/server/data/puppetdb/certs`                                                           |