From 07970d2ccb275f99e852d6c43bfe2c2d9eb42a49 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Thu, 7 Aug 2025 21:27:03 +0000 Subject: [PATCH 1/9] add snakeoil certificates Signed-off-by: Pari Mohite --- 7.2/alpine/Dockerfile | 5 +++++ 7.2/debian/Dockerfile | 2 ++ 8.0/alpine/Dockerfile | 5 +++++ 8.0/debian/Dockerfile | 2 ++ 8.1/alpine/Dockerfile | 5 +++++ 8.1/debian/Dockerfile | 2 ++ Dockerfile.template | 7 +++++++ unstable/alpine/Dockerfile | 5 +++++ unstable/debian/Dockerfile | 2 ++ 9 files changed, 35 insertions(+) diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile index 63325a0..aa4c3f0 100644 --- a/7.2/alpine/Dockerfile +++ b/7.2/alpine/Dockerfile @@ -92,6 +92,11 @@ RUN set -eux; \ libgcc \ ; +# Add make-ssl-cert script for snakeoil certificates (Alpine) +RUN set -eux; \ + printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + chmod +x /usr/local/bin/make-ssl-cert + # Install valkey built earlier COPY --from=build /usr/local /usr/local RUN mkdir /data && \ diff --git a/7.2/debian/Dockerfile b/7.2/debian/Dockerfile index a422583..f04a212 100644 --- a/7.2/debian/Dockerfile +++ b/7.2/debian/Dockerfile @@ -87,6 +87,8 @@ RUN set -eux; \ # add tzdata explicitly for https://github.com/docker-library/valkey/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ libssl3 \ +# add ssl-cert for snakeoil certificates (Debian) + ssl-cert \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/8.0/alpine/Dockerfile b/8.0/alpine/Dockerfile index 23b8680..5413825 100644 --- a/8.0/alpine/Dockerfile +++ b/8.0/alpine/Dockerfile @@ -92,6 +92,11 @@ RUN set -eux; \ libgcc \ ; +# Add make-ssl-cert script for snakeoil certificates (Alpine) +RUN set -eux; \ + printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + chmod +x /usr/local/bin/make-ssl-cert + # Install valkey built earlier COPY --from=build /usr/local /usr/local RUN mkdir /data && \ diff --git a/8.0/debian/Dockerfile b/8.0/debian/Dockerfile index 181ef3a..dcdecea 100644 --- a/8.0/debian/Dockerfile +++ b/8.0/debian/Dockerfile @@ -87,6 +87,8 @@ RUN set -eux; \ # add tzdata explicitly for https://github.com/docker-library/valkey/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ libssl3 \ +# add ssl-cert for snakeoil certificates (Debian) + ssl-cert \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/8.1/alpine/Dockerfile b/8.1/alpine/Dockerfile index 7b8a6b9..130e315 100644 --- a/8.1/alpine/Dockerfile +++ b/8.1/alpine/Dockerfile @@ -93,6 +93,11 @@ RUN set -eux; \ libgcc \ ; +# Add make-ssl-cert script for snakeoil certificates (Alpine) +RUN set -eux; \ + printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + chmod +x /usr/local/bin/make-ssl-cert + # Install valkey built earlier COPY --from=build /usr/local /usr/local RUN mkdir /data && \ diff --git a/8.1/debian/Dockerfile b/8.1/debian/Dockerfile index 193ab92..8436c40 100644 --- a/8.1/debian/Dockerfile +++ b/8.1/debian/Dockerfile @@ -91,6 +91,8 @@ RUN set -eux; \ # add tzdata explicitly for https://github.com/docker-library/valkey/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ libssl3 \ +# add ssl-cert for snakeoil certificates (Debian) + ssl-cert \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/Dockerfile.template b/Dockerfile.template index 2dc3cea..268aef8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -159,6 +159,11 @@ RUN set -eux; \ openssl \ libgcc \ ; + +# Add make-ssl-cert script for snakeoil certificates (Alpine) +RUN set -eux; \ + printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + chmod +x /usr/local/bin/make-ssl-cert {{ ) else ( -}} RUN set -eux; \ apt-get update; \ @@ -166,6 +171,8 @@ RUN set -eux; \ # add tzdata explicitly for https://github.com/docker-library/valkey/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ libssl3 \ +# add ssl-cert for snakeoil certificates (Debian) + ssl-cert \ ; \ rm -rf /var/lib/apt/lists/* {{ ) end -}} diff --git a/unstable/alpine/Dockerfile b/unstable/alpine/Dockerfile index 5d3ec74..e76ac7e 100644 --- a/unstable/alpine/Dockerfile +++ b/unstable/alpine/Dockerfile @@ -93,6 +93,11 @@ RUN set -eux; \ libgcc \ ; +# Add make-ssl-cert script for snakeoil certificates (Alpine) +RUN set -eux; \ + printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + chmod +x /usr/local/bin/make-ssl-cert + # Install valkey built earlier COPY --from=build /usr/local /usr/local RUN mkdir /data && \ diff --git a/unstable/debian/Dockerfile b/unstable/debian/Dockerfile index 02ac4c3..1963488 100644 --- a/unstable/debian/Dockerfile +++ b/unstable/debian/Dockerfile @@ -91,6 +91,8 @@ RUN set -eux; \ # add tzdata explicitly for https://github.com/docker-library/valkey/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ libssl3 \ +# add ssl-cert for snakeoil certificates (Debian) + ssl-cert \ ; \ rm -rf /var/lib/apt/lists/* From 984302d6a3562d28e948da70d1dde111a9e06c18 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 19:36:50 +0000 Subject: [PATCH 2/9] add better error handling for alpine make-ssl-cert script Signed-off-by: Pari Mohite --- 7.2/alpine/Dockerfile | 2 +- 8.0/alpine/Dockerfile | 2 +- 8.1/alpine/Dockerfile | 2 +- Dockerfile.template | 2 +- unstable/alpine/Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile index aa4c3f0..fe5499f 100644 --- a/7.2/alpine/Dockerfile +++ b/7.2/alpine/Dockerfile @@ -94,7 +94,7 @@ RUN set -eux; \ # Add make-ssl-cert script for snakeoil certificates (Alpine) RUN set -eux; \ - printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier diff --git a/8.0/alpine/Dockerfile b/8.0/alpine/Dockerfile index 5413825..9cb6355 100644 --- a/8.0/alpine/Dockerfile +++ b/8.0/alpine/Dockerfile @@ -94,7 +94,7 @@ RUN set -eux; \ # Add make-ssl-cert script for snakeoil certificates (Alpine) RUN set -eux; \ - printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier diff --git a/8.1/alpine/Dockerfile b/8.1/alpine/Dockerfile index 130e315..eab4576 100644 --- a/8.1/alpine/Dockerfile +++ b/8.1/alpine/Dockerfile @@ -95,7 +95,7 @@ RUN set -eux; \ # Add make-ssl-cert script for snakeoil certificates (Alpine) RUN set -eux; \ - printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier diff --git a/Dockerfile.template b/Dockerfile.template index 268aef8..d4fe773 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -162,7 +162,7 @@ RUN set -eux; \ # Add make-ssl-cert script for snakeoil certificates (Alpine) RUN set -eux; \ - printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ chmod +x /usr/local/bin/make-ssl-cert {{ ) else ( -}} RUN set -eux; \ diff --git a/unstable/alpine/Dockerfile b/unstable/alpine/Dockerfile index e76ac7e..ffe0d6b 100644 --- a/unstable/alpine/Dockerfile +++ b/unstable/alpine/Dockerfile @@ -95,7 +95,7 @@ RUN set -eux; \ # Add make-ssl-cert script for snakeoil certificates (Alpine) RUN set -eux; \ - printf '#!/bin/sh\nset -e\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ + printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier From db293b215eba927a67fe07d34272652da0106a16 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 20:41:36 +0000 Subject: [PATCH 3/9] make separate script and copy it to the image like entrypoint.sh Signed-off-by: Pari Mohite --- 7.2/alpine/Dockerfile | 5 ++--- 7.2/alpine/make-ssl-cert-alpine.sh | 10 ++++++++++ 8.0/alpine/Dockerfile | 5 ++--- 8.0/alpine/make-ssl-cert-alpine.sh | 10 ++++++++++ 8.1/alpine/Dockerfile | 5 ++--- 8.1/alpine/make-ssl-cert-alpine.sh | 10 ++++++++++ Dockerfile.template | 5 ++--- make-ssl-cert-alpine.sh | 10 ++++++++++ unstable/alpine/Dockerfile | 5 ++--- unstable/alpine/make-ssl-cert-alpine.sh | 10 ++++++++++ 10 files changed, 60 insertions(+), 15 deletions(-) create mode 100644 7.2/alpine/make-ssl-cert-alpine.sh create mode 100644 8.0/alpine/make-ssl-cert-alpine.sh create mode 100644 8.1/alpine/make-ssl-cert-alpine.sh create mode 100644 make-ssl-cert-alpine.sh create mode 100644 unstable/alpine/make-ssl-cert-alpine.sh diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile index fe5499f..01c130c 100644 --- a/7.2/alpine/Dockerfile +++ b/7.2/alpine/Dockerfile @@ -93,9 +93,8 @@ RUN set -eux; \ ; # Add make-ssl-cert script for snakeoil certificates (Alpine) -RUN set -eux; \ - printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ - chmod +x /usr/local/bin/make-ssl-cert +COPY make-ssl-cert-alpine.sh /usr/local/bin/make-ssl-cert +RUN chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier COPY --from=build /usr/local /usr/local diff --git a/7.2/alpine/make-ssl-cert-alpine.sh b/7.2/alpine/make-ssl-cert-alpine.sh new file mode 100644 index 0000000..4ca66cd --- /dev/null +++ b/7.2/alpine/make-ssl-cert-alpine.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ $# -ne 2 ]; then + echo "Usage: make-ssl-cert " >&2 + exit 1 +fi + +mkdir -p "$(dirname "$1")" "$(dirname "$2")" +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file diff --git a/8.0/alpine/Dockerfile b/8.0/alpine/Dockerfile index 9cb6355..3299cdc 100644 --- a/8.0/alpine/Dockerfile +++ b/8.0/alpine/Dockerfile @@ -93,9 +93,8 @@ RUN set -eux; \ ; # Add make-ssl-cert script for snakeoil certificates (Alpine) -RUN set -eux; \ - printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ - chmod +x /usr/local/bin/make-ssl-cert +COPY make-ssl-cert-alpine.sh /usr/local/bin/make-ssl-cert +RUN chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier COPY --from=build /usr/local /usr/local diff --git a/8.0/alpine/make-ssl-cert-alpine.sh b/8.0/alpine/make-ssl-cert-alpine.sh new file mode 100644 index 0000000..4ca66cd --- /dev/null +++ b/8.0/alpine/make-ssl-cert-alpine.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ $# -ne 2 ]; then + echo "Usage: make-ssl-cert " >&2 + exit 1 +fi + +mkdir -p "$(dirname "$1")" "$(dirname "$2")" +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file diff --git a/8.1/alpine/Dockerfile b/8.1/alpine/Dockerfile index eab4576..c12e90f 100644 --- a/8.1/alpine/Dockerfile +++ b/8.1/alpine/Dockerfile @@ -94,9 +94,8 @@ RUN set -eux; \ ; # Add make-ssl-cert script for snakeoil certificates (Alpine) -RUN set -eux; \ - printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ - chmod +x /usr/local/bin/make-ssl-cert +COPY make-ssl-cert-alpine.sh /usr/local/bin/make-ssl-cert +RUN chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier COPY --from=build /usr/local /usr/local diff --git a/8.1/alpine/make-ssl-cert-alpine.sh b/8.1/alpine/make-ssl-cert-alpine.sh new file mode 100644 index 0000000..4ca66cd --- /dev/null +++ b/8.1/alpine/make-ssl-cert-alpine.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ $# -ne 2 ]; then + echo "Usage: make-ssl-cert " >&2 + exit 1 +fi + +mkdir -p "$(dirname "$1")" "$(dirname "$2")" +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file diff --git a/Dockerfile.template b/Dockerfile.template index d4fe773..c65f50f 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -161,9 +161,8 @@ RUN set -eux; \ ; # Add make-ssl-cert script for snakeoil certificates (Alpine) -RUN set -eux; \ - printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ - chmod +x /usr/local/bin/make-ssl-cert +COPY make-ssl-cert-alpine.sh /usr/local/bin/make-ssl-cert +RUN chmod +x /usr/local/bin/make-ssl-cert {{ ) else ( -}} RUN set -eux; \ apt-get update; \ diff --git a/make-ssl-cert-alpine.sh b/make-ssl-cert-alpine.sh new file mode 100644 index 0000000..4ca66cd --- /dev/null +++ b/make-ssl-cert-alpine.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ $# -ne 2 ]; then + echo "Usage: make-ssl-cert " >&2 + exit 1 +fi + +mkdir -p "$(dirname "$1")" "$(dirname "$2")" +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file diff --git a/unstable/alpine/Dockerfile b/unstable/alpine/Dockerfile index ffe0d6b..f8d1a8d 100644 --- a/unstable/alpine/Dockerfile +++ b/unstable/alpine/Dockerfile @@ -94,9 +94,8 @@ RUN set -eux; \ ; # Add make-ssl-cert script for snakeoil certificates (Alpine) -RUN set -eux; \ - printf '#!/bin/sh\nset -e\nif [ $# -ne 2 ]; then\n echo "Usage: make-ssl-cert " >&2\n exit 1\nfi\nmkdir -p "$(dirname "$1")" "$(dirname "$2")"\nopenssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost"\n' > /usr/local/bin/make-ssl-cert; \ - chmod +x /usr/local/bin/make-ssl-cert +COPY make-ssl-cert-alpine.sh /usr/local/bin/make-ssl-cert +RUN chmod +x /usr/local/bin/make-ssl-cert # Install valkey built earlier COPY --from=build /usr/local /usr/local diff --git a/unstable/alpine/make-ssl-cert-alpine.sh b/unstable/alpine/make-ssl-cert-alpine.sh new file mode 100644 index 0000000..4ca66cd --- /dev/null +++ b/unstable/alpine/make-ssl-cert-alpine.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +if [ $# -ne 2 ]; then + echo "Usage: make-ssl-cert " >&2 + exit 1 +fi + +mkdir -p "$(dirname "$1")" "$(dirname "$2")" +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file From ea7046cd077073b131282cbda9f9949e52be14e8 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 22:22:53 +0000 Subject: [PATCH 4/9] add testing for snakeoil certs and openssl Signed-off-by: Pari Mohite --- .test/tests/valkey-ssl-cert/run.sh | 150 +++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100755 .test/tests/valkey-ssl-cert/run.sh diff --git a/.test/tests/valkey-ssl-cert/run.sh b/.test/tests/valkey-ssl-cert/run.sh new file mode 100755 index 0000000..1421ecf --- /dev/null +++ b/.test/tests/valkey-ssl-cert/run.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env bash +set -eo pipefail + +dir="$(dirname "$(readlink -f "$BASH_SOURCE")")" +testDir="$(readlink -f "$(dirname "$BASH_SOURCE")")" +testName="$(basename "$testDir")" + +image="$1" + +# Determine if this is Alpine or Debian variant +imageVariant="$(docker run --rm --entrypoint sh "$image" -c 'if [ -f /etc/alpine-release ]; then echo alpine; else echo debian; fi')" + +network="valkey-network-$RANDOM-$RANDOM" +docker network create "$network" >/dev/null + +cname="valkey-container-$RANDOM-$RANDOM" +cid="$(docker run -d --name "$cname" --network "$network" "$image")" + +trap "docker rm -vf '$cid' >/dev/null; docker network rm '$network' >/dev/null" EXIT + +# Test OpenSSL is available +echo "Testing OpenSSL availability..." +docker exec "$cid" openssl version >/dev/null +echo "✓ OpenSSL is accessible" + +# Test make-ssl-cert functionality +if [ "$imageVariant" = "alpine" ]; then + echo "Testing Alpine make-ssl-cert..." + + # Test basic certificate generation + docker exec "$cid" make-ssl-cert /tmp/test.pem /tmp/test.key + + # Verify files exist + docker exec "$cid" test -f /tmp/test.pem + docker exec "$cid" test -f /tmp/test.key + + # Test nested directory creation + docker exec "$cid" make-ssl-cert /deep/nested/cert.pem /another/path/key.pem + docker exec "$cid" test -f /deep/nested/cert.pem + docker exec "$cid" test -f /another/path/key.pem + + # Test error handling + if docker exec "$cid" make-ssl-cert 2>/dev/null; then + echo "ERROR: Should have failed with no arguments" + exit 1 + fi + + if docker exec "$cid" make-ssl-cert /tmp/only-one 2>/dev/null; then + echo "ERROR: Should have failed with one argument" + exit 1 + fi + +else + echo "Testing Debian make-ssl-cert..." + + # Test standard generation + docker exec "$cid" make-ssl-cert generate-default-snakeoil + + # Verify files exist + docker exec "$cid" test -f /etc/ssl/certs/ssl-cert-snakeoil.pem + docker exec "$cid" test -f /etc/ssl/private/ssl-cert-snakeoil.key +fi + +# Common tests for both variants +echo "Testing certificate validity..." + +if [ "$imageVariant" = "alpine" ]; then + certFile="/tmp/test.pem" + keyFile="/tmp/test.key" +else + certFile="/etc/ssl/certs/ssl-cert-snakeoil.pem" + keyFile="/etc/ssl/private/ssl-cert-snakeoil.key" +fi + +# Verify certificate is valid X.509 +docker exec "$cid" openssl x509 -in "$certFile" -noout -text >/dev/null + +# Verify private key is valid +docker exec "$cid" openssl rsa -in "$keyFile" -check -noout >/dev/null 2>&1 + +# Verify certificate subject +subject="$(docker exec "$cid" openssl x509 -in "$certFile" -noout -subject)" +if [[ "$subject" != *"CN=localhost"* ]] && [[ "$subject" != *"CN = localhost"* ]]; then + echo "ERROR: Certificate subject should contain CN=localhost, got: $subject" + exit 1 +fi + +# Verify certificate and key match +certMod="$(docker exec "$cid" openssl x509 -noout -modulus -in "$certFile" | openssl md5)" +keyMod="$(docker exec "$cid" sh -c "openssl rsa -noout -modulus -in '$keyFile' 2>/dev/null | openssl md5")" + +if [ "$certMod" != "$keyMod" ]; then + echo "ERROR: Certificate and key modulus don't match" + exit 1 +fi + +# Edge case tests +echo "Testing edge cases..." + +if [ "$imageVariant" = "alpine" ]; then + # Test with special characters in filenames + docker exec "$cid" make-ssl-cert "/tmp/cert with spaces.pem" "/tmp/key-with-dashes.pem" + docker exec "$cid" test -f "/tmp/cert with spaces.pem" + docker exec "$cid" test -f "/tmp/key-with-dashes.pem" + + # Test overwriting existing files + firstSerial="$(docker exec "$cid" openssl x509 -in "$certFile" -noout -serial)" + docker exec "$cid" make-ssl-cert "$certFile" "$keyFile" + secondSerial="$(docker exec "$cid" openssl x509 -in "$certFile" -noout -serial)" + + if [ "$firstSerial" = "$secondSerial" ]; then + echo "ERROR: Certificate should have been overwritten" + exit 1 + fi +else + # Test self-signed certificate validates + if ! docker exec "$cid" openssl verify -CAfile "$certFile" "$certFile" 2>/dev/null | grep -q "OK"; then + echo "ERROR: Self-signed certificate should validate" + exit 1 + fi + + # Test key size is reasonable (should be 2048 bits) + keySize="$(docker exec "$cid" openssl rsa -in "$keyFile" -text -noout 2>/dev/null | grep "Private-Key" | grep -o "[0-9]*" | head -1)" + if [ "$keySize" -lt 2048 ]; then + echo "ERROR: Key size should be at least 2048 bits, got $keySize" + exit 1 + fi +fi + +# Test certificate validity period (should be ~10 years) +notAfter="$(docker exec "$cid" openssl x509 -in "$certFile" -noout -enddate | cut -d= -f2)" +currentYear="$(date +%Y)" +certYear="$(date -d "$notAfter" +%Y 2>/dev/null || echo "2035")" +yearDiff=$((certYear - currentYear)) + +if [ "$yearDiff" -lt 9 ] || [ "$yearDiff" -gt 11 ]; then + echo "ERROR: Certificate should be valid for ~10 years, got $yearDiff years" + exit 1 +fi + +# Test file permissions are secure (Alpine only) +if [ "$imageVariant" = "alpine" ]; then + keyPerm="$(docker exec "$cid" stat -c %a "$keyFile")" + if [ "$keyPerm" != "600" ]; then + echo "ERROR: Private key should have 600 permissions, got $keyPerm" + exit 1 + fi +fi + +echo "✓ All SSL certificate tests (including edge cases) passed for $imageVariant variant" \ No newline at end of file From 1775f7282a0a4da19a9a4ac2a2c555d7b350a68f Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 22:26:33 +0000 Subject: [PATCH 5/9] add trailing newline to added files Signed-off-by: Pari Mohite --- .test/tests/valkey-ssl-cert/run.sh | 2 +- 7.2/alpine/make-ssl-cert-alpine.sh | 2 +- 8.0/alpine/make-ssl-cert-alpine.sh | 2 +- 8.1/alpine/make-ssl-cert-alpine.sh | 2 +- make-ssl-cert-alpine.sh | 2 +- unstable/alpine/make-ssl-cert-alpine.sh | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.test/tests/valkey-ssl-cert/run.sh b/.test/tests/valkey-ssl-cert/run.sh index 1421ecf..8bae1c5 100755 --- a/.test/tests/valkey-ssl-cert/run.sh +++ b/.test/tests/valkey-ssl-cert/run.sh @@ -147,4 +147,4 @@ if [ "$imageVariant" = "alpine" ]; then fi fi -echo "✓ All SSL certificate tests (including edge cases) passed for $imageVariant variant" \ No newline at end of file +echo "✓ All SSL certificate tests (including edge cases) passed for $imageVariant variant" diff --git a/7.2/alpine/make-ssl-cert-alpine.sh b/7.2/alpine/make-ssl-cert-alpine.sh index 4ca66cd..a2c2704 100644 --- a/7.2/alpine/make-ssl-cert-alpine.sh +++ b/7.2/alpine/make-ssl-cert-alpine.sh @@ -7,4 +7,4 @@ if [ $# -ne 2 ]; then fi mkdir -p "$(dirname "$1")" "$(dirname "$2")" -openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" diff --git a/8.0/alpine/make-ssl-cert-alpine.sh b/8.0/alpine/make-ssl-cert-alpine.sh index 4ca66cd..a2c2704 100644 --- a/8.0/alpine/make-ssl-cert-alpine.sh +++ b/8.0/alpine/make-ssl-cert-alpine.sh @@ -7,4 +7,4 @@ if [ $# -ne 2 ]; then fi mkdir -p "$(dirname "$1")" "$(dirname "$2")" -openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" diff --git a/8.1/alpine/make-ssl-cert-alpine.sh b/8.1/alpine/make-ssl-cert-alpine.sh index 4ca66cd..a2c2704 100644 --- a/8.1/alpine/make-ssl-cert-alpine.sh +++ b/8.1/alpine/make-ssl-cert-alpine.sh @@ -7,4 +7,4 @@ if [ $# -ne 2 ]; then fi mkdir -p "$(dirname "$1")" "$(dirname "$2")" -openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" diff --git a/make-ssl-cert-alpine.sh b/make-ssl-cert-alpine.sh index 4ca66cd..a2c2704 100644 --- a/make-ssl-cert-alpine.sh +++ b/make-ssl-cert-alpine.sh @@ -7,4 +7,4 @@ if [ $# -ne 2 ]; then fi mkdir -p "$(dirname "$1")" "$(dirname "$2")" -openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" diff --git a/unstable/alpine/make-ssl-cert-alpine.sh b/unstable/alpine/make-ssl-cert-alpine.sh index 4ca66cd..a2c2704 100644 --- a/unstable/alpine/make-ssl-cert-alpine.sh +++ b/unstable/alpine/make-ssl-cert-alpine.sh @@ -7,4 +7,4 @@ if [ $# -ne 2 ]; then fi mkdir -p "$(dirname "$1")" "$(dirname "$2")" -openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" \ No newline at end of file +openssl req -new -x509 -days 3650 -nodes -out "$1" -keyout "$2" -subj "/CN=localhost" From cab43c851511c05af9641bcc5e6b7bda4c5fe8a1 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 22:49:15 +0000 Subject: [PATCH 6/9] fix apply-templates.sh to copy over the make-ssl-cert-alpine script Signed-off-by: Pari Mohite --- apply-templates.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apply-templates.sh b/apply-templates.sh index 51656bf..b256c85 100755 --- a/apply-templates.sh +++ b/apply-templates.sh @@ -53,5 +53,8 @@ for version; do } > "$dir/Dockerfile" cp -a docker-entrypoint.sh "$dir/" + if [ "$variant" = "alpine" ]; then + cp -a make-ssl-cert-alpine.sh "$dir/" + fi done done From 1a7b79f09652e527f87b16ed5e8ae7c68f06781a Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 22:53:02 +0000 Subject: [PATCH 7/9] add valkey-ssl-cert test to the CI config Signed-off-by: Pari Mohite --- .test/config.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.test/config.sh b/.test/config.sh index b1e8f48..aa703ac 100644 --- a/.test/config.sh +++ b/.test/config.sh @@ -6,5 +6,6 @@ imageTests+=( valkey-basics-tls valkey-basics-config valkey-basics-persistent + valkey-ssl-cert ' ) \ No newline at end of file From b28d17457266b8fae7b36447d4ff8af4572710cf Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 23:15:37 +0000 Subject: [PATCH 8/9] suppress warnings Signed-off-by: Pari Mohite --- .test/tests/valkey-ssl-cert/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.test/tests/valkey-ssl-cert/run.sh b/.test/tests/valkey-ssl-cert/run.sh index 8bae1c5..c428343 100755 --- a/.test/tests/valkey-ssl-cert/run.sh +++ b/.test/tests/valkey-ssl-cert/run.sh @@ -54,7 +54,7 @@ else echo "Testing Debian make-ssl-cert..." # Test standard generation - docker exec "$cid" make-ssl-cert generate-default-snakeoil + docker exec "$cid" env DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil # Verify files exist docker exec "$cid" test -f /etc/ssl/certs/ssl-cert-snakeoil.pem From 032caa7efee05f7734cf98df5fdf7d1d55ecd021 Mon Sep 17 00:00:00 2001 From: Pari Mohite Date: Fri, 8 Aug 2025 23:24:16 +0000 Subject: [PATCH 9/9] fix certificate subject check for debian Signed-off-by: Pari Mohite --- .test/tests/valkey-ssl-cert/run.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.test/tests/valkey-ssl-cert/run.sh b/.test/tests/valkey-ssl-cert/run.sh index c428343..029b695 100755 --- a/.test/tests/valkey-ssl-cert/run.sh +++ b/.test/tests/valkey-ssl-cert/run.sh @@ -80,9 +80,17 @@ docker exec "$cid" openssl rsa -in "$keyFile" -check -noout >/dev/null 2>&1 # Verify certificate subject subject="$(docker exec "$cid" openssl x509 -in "$certFile" -noout -subject)" -if [[ "$subject" != *"CN=localhost"* ]] && [[ "$subject" != *"CN = localhost"* ]]; then - echo "ERROR: Certificate subject should contain CN=localhost, got: $subject" - exit 1 +if [ "$imageVariant" = "alpine" ]; then + if [[ "$subject" != *"CN=localhost"* ]] && [[ "$subject" != *"CN = localhost"* ]]; then + echo "ERROR: Certificate subject should contain CN=localhost, got: $subject" + exit 1 + fi +else + # For Debian, just verify it has some CN field + if [[ "$subject" != *"CN="* ]] && [[ "$subject" != *"CN ="* ]]; then + echo "ERROR: Certificate subject should contain CN field, got: $subject" + exit 1 + fi fi # Verify certificate and key match