feat: support custom CA certificates for all containers (#4216)

Author: aldy505

.dockerignore

@@ -0,0 +1 @@
+certificates/.gitignore

.env

@@ -29,6 +29,14 @@ HEALTHCHECK_FILE_START_PERIOD=600s
 # Set SETUP_JS_SDK_ASSETS to 1 to enable the setup of JS SDK assets
 # SETUP_JS_SDK_ASSETS=1
 #
+# Set SETUP_CUSTOM_CA_CERTIFICATE to 1 to generate trust stores that inject
+# your custom CA certificates (from ./certificates/*.crt) into non-Sentry
+# services (relay, symbolicator, vroom, snuba, taskbroker, uptime-checker).
+# Re-run ./install.sh after adding or changing certificates — no Docker image
+# rebuilds are required. Follow the printed instructions to update your
+# docker-compose.override.yml on the first run.
+# SETUP_CUSTOM_CA_CERTIFICATE=1
+#
 # Sentry (and its' surrounding services) uses Statsd for metrics collection.
 # It's also the proper way to monitor self-hosted Sentry systems.
 # Set STATSD_ADDR to a valid IP:PORT combination to enable Statsd metrics collection.

.gitignore

@@ -71,6 +71,9 @@ target/
 
 # https://docs.docker.com/compose/extends/
 docker-compose.override.yml
+# Generated by install/setup-custom-ca-certificate.sh and rebuilt on each run.
+# Do not version these ephemeral trust-store artifacts.
+certificates/.generated/
 
 # https://docs.docker.com/compose/environment-variables/#using-the---env-file--option
 .env.custom

_unit-test/bootstrap-s3-profiles-test.sh

@@ -5,7 +5,8 @@ source install/dc-detect-version.sh
 source install/create-docker-volumes.sh
 source install/ensure-files-from-examples.sh
 export COMPOSE_PROFILES="feature-complete"
-$dc pull vroom
+# `docker compose pull vroom` can be skipped when pull_policy is set to `never`.
+$CONTAINER_ENGINE pull "${VROOM_IMAGE}"
 source install/ensure-correct-permissions-profiles-dir.sh
 
 # Generate some random files on `sentry-vroom` volume for testing

_unit-test/setup-custom-ca-certificate-test.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+
+source _unit-test/_test_setup.sh
+source install/dc-detect-version.sh
+
+CERT_DIR="./certificates"
+GENERATED_DIR="${CERT_DIR}/.generated"
+
+# -----------------------------------------------------------------------
+# Test 1: Feature flag is NOT set → script is a no-op, no generated dir.
+# -----------------------------------------------------------------------
+unset SETUP_CUSTOM_CA_CERTIFICATE
+source install/setup-custom-ca-certificate.sh
+test ! -d "$GENERATED_DIR"
+echo "Pass: no-op when SETUP_CUSTOM_CA_CERTIFICATE is unset"
+
+# -----------------------------------------------------------------------
+# Test 2: Feature flag set but no .crt files → prints a message, no-op.
+# -----------------------------------------------------------------------
+export SETUP_CUSTOM_CA_CERTIFICATE=1
+source install/setup-custom-ca-certificate.sh
+test ! -d "$GENERATED_DIR"
+echo "Pass: no-op when certificates/ has no .crt files"
+
+# -----------------------------------------------------------------------
+# Shared setup: generate a self-signed test CA certificate.
+# -----------------------------------------------------------------------
+openssl req -x509 -newkey rsa:2048 \
+  -keyout /tmp/self-hosted-test-ca.key \
+  -out "${CERT_DIR}/self-hosted-test-ca.crt" \
+  -days 1 -nodes -subj "/CN=Self-Hosted Test CA DO NOT TRUST" 2>/dev/null
+echo "Test certificate generated."
+
+# -----------------------------------------------------------------------
+# Test 3: Invalid .crt file → script exits non-zero (subshell to isolate).
+# -----------------------------------------------------------------------
+echo "not a certificate" >"${CERT_DIR}/bad.crt"
+if (
+  export SETUP_CUSTOM_CA_CERTIFICATE=1
+  source install/setup-custom-ca-certificate.sh
+) 2>/dev/null; then
+  echo "Expected setup-custom-ca-certificate.sh to fail for invalid certificate input"
+  exit 1
+fi
+rm "${CERT_DIR}/bad.crt"
+echo "Pass: invalid certificate causes a non-zero exit"
+
+# -----------------------------------------------------------------------
+# Test 4: Happy path — valid cert, flag set.
+#
+# We override all image vars to sentry-self-hosted-jq-local (guaranteed
+# present after _test_setup.sh) so the test runs without pulling large
+# upstream images. The jq image has no /etc/ssl/certs, so the script uses
+# an empty baseline and overlays our custom cert on top.
+# -----------------------------------------------------------------------
+export RELAY_IMAGE=sentry-self-hosted-jq-local
+export SYMBOLICATOR_IMAGE=sentry-self-hosted-jq-local
+export SNUBA_IMAGE=sentry-self-hosted-jq-local
+export VROOM_IMAGE=sentry-self-hosted-jq-local
+export TASKBROKER_IMAGE=sentry-self-hosted-jq-local
+export UPTIME_CHECKER_IMAGE=sentry-self-hosted-jq-local
+
+export SETUP_CUSTOM_CA_CERTIFICATE=1
+source install/setup-custom-ca-certificate.sh
+
+# The generated directory must exist.
+test -d "$GENERATED_DIR"
+echo "Pass: generated directory was created"
+
+# Each service's trust store directory must exist.
+for nickname in relay symbolicator snuba vroom taskbroker uptime-checker; do
+  test -d "${GENERATED_DIR}/${nickname}/etc/ssl/certs"
+  echo "  Pass: ${nickname} trust store directory exists"
+done
+
+# Each service's bundle must contain the custom cert's PEM block.
+for nickname in relay symbolicator snuba vroom taskbroker uptime-checker; do
+  bundle="${GENERATED_DIR}/${nickname}/etc/ssl/certs/ca-certificates.crt"
+  test -f "$bundle"
+  grep -q "BEGIN CERTIFICATE" "$bundle"
+  echo "  Pass: ${nickname} ca-certificates.crt contains at least one certificate"
+done
+
+# The individual .crt file must be present in each service's cert dir.
+for nickname in relay symbolicator snuba vroom taskbroker uptime-checker; do
+  test -f "${GENERATED_DIR}/${nickname}/etc/ssl/certs/self-hosted-test-ca.crt"
+  echo "  Pass: ${nickname} has the individual self-hosted-test-ca.crt file"
+done
+
+# openssl rehash must have created at least one hash symlink per service dir.
+for nickname in relay symbolicator snuba vroom taskbroker uptime-checker; do
+  cert_dir="${GENERATED_DIR}/${nickname}/etc/ssl/certs"
+  hash_links=$(find "$cert_dir" -maxdepth 1 -type l | wc -l)
+  test "$hash_links" -gt 0
+  echo "  Pass: ${nickname} has ${hash_links} OpenSSL hash symlink(s)"
+done
+
+# -----------------------------------------------------------------------
+# Test 5: Idempotency — running again produces the same result.
+# -----------------------------------------------------------------------
+source install/setup-custom-ca-certificate.sh
+
+for nickname in relay symbolicator snuba vroom taskbroker uptime-checker; do
+  bundle="${GENERATED_DIR}/${nickname}/etc/ssl/certs/ca-certificates.crt"
+  count=$(grep -c "BEGIN CERTIFICATE" "$bundle")
+  # Each run wipes and rebuilds .generated/, so exactly one copy of our cert.
+  test "$count" -eq 1
+  echo "  Pass: ${nickname} bundle has exactly 1 certificate after second run (no duplication)"
+done
+echo "Pass: script is idempotent"
+
+report_success

docker-compose.yml

@@ -77,7 +77,7 @@ x-sentry-defaults: &sentry_defaults
     - "./geoip:/geoip:ro"
     - "./certificates:/usr/local/share/ca-certificates:ro"
 x-snuba-defaults: &snuba_defaults
-  <<: *restart_policy
+  <<: [*restart_policy, *pull_policy]
   depends_on:
     clickhouse:
       <<: *depends_on-healthy
@@ -470,7 +470,7 @@ services:
     healthcheck:
       <<: *file_healthcheck_defaults
   symbolicator:
-    <<: *restart_policy
+    <<: [*restart_policy, *pull_policy]
     image: "$SYMBOLICATOR_IMAGE"
     environment:
       SYMBOLICATOR_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}
@@ -708,7 +708,7 @@ services:
         <<: *depends_on-healthy
         restart: true
   relay:
-    <<: *restart_policy
+    <<: [*restart_policy, *pull_policy]
     image: "$RELAY_IMAGE"
     environment:
       RELAY_STATSD_ADDR: ${STATSD_ADDR:-127.0.0.1:8125}
@@ -732,7 +732,7 @@ services:
       <<: *healthcheck_defaults
       test: ["CMD", "/bin/relay", "healthcheck"]
   taskbroker:
-    <<: *restart_policy
+    <<: [*restart_policy, *pull_policy]
     image: "$TASKBROKER_IMAGE"
     environment:
       TASKBROKER_KAFKA_CLUSTER: "kafka:9092"
@@ -753,7 +753,7 @@ services:
     healthcheck:
       <<: *file_healthcheck_defaults
   vroom:
-    <<: *restart_policy
+    <<: [*restart_policy, *pull_policy]
     image: "$VROOM_IMAGE"
     environment:
       SENTRY_KAFKA_BROKERS_PROFILING: "kafka:9092"
@@ -778,7 +778,7 @@ services:
     profiles:
       - feature-complete
   uptime-checker:
-    <<: *restart_policy
+    <<: [*restart_policy, *pull_policy]
     image: "$UPTIME_CHECKER_IMAGE"
     command: run
     environment:

install.sh

@@ -45,4 +45,5 @@ source install/set-up-and-migrate-database.sh
 source install/migrate-pgbouncer.sh
 source install/geoip.sh
 source install/setup-js-sdk-assets.sh
+source install/setup-custom-ca-certificate.sh
 source install/wrap-up.sh

install/ensure-relay-credentials.sh

@@ -24,7 +24,9 @@ else
   #    1.x and 2.2.3+ (funny story about that ... ;). Note that the long opt
   #    --no-tty doesn't exist in Docker Compose 1.
 
-  $dc pull relay
+  # `docker compose pull relay` can be skipped when service-level pull_policy is
+  # set to `never`, so pull the configured relay image directly.
+  $CONTAINER_ENGINE pull "${RELAY_IMAGE}" || true
   creds="$dcr --no-deps -T relay credentials"
   $creds generate --stdout >"$RELAY_CREDENTIALS_JSON".tmp
   mv "$RELAY_CREDENTIALS_JSON".tmp "$RELAY_CREDENTIALS_JSON"