From 6d4a91dd1cfa61fd8eeb09da852f3516d484ee53 Mon Sep 17 00:00:00 2001
From: Anthony Fok <anthony.fok@canada.ca>
Date: Wed, 19 Jan 2022 10:17:50 -0700
Subject: [PATCH] Add environment variables to set SSL certs for Gunicorn

This is to allow pygeoapi to serve over HTTPS.

The environment variables are

 - PYGEOAPI_SSL_KEYFILE  corresponds to --keyfile
 - PYGEOAPI_SSL_CERTFILE corresponds to --certfile
 - PYGEOAPI_SSL_VERSION  corresponds to --ssl-version
 - PYGEOAPI_SSL_CA_CERTS corresponds to --ca-certs

Sample command:

    docker run -p 5000:80 \
        -e PYGEOAPI_SSL_KEYFILE=/certs/tls.key \
        -e PYGEOAPI_SSL_CERTFILE=/certs/tls.crt \
        -v /path/to/tls.crt:/certs/tls.crt:ro \
        -v /path/to/tls.key:/certs/tls.key:ro \
        -v $(pwd)/my.config.yml:/pygeoapi/local.config.yml \
        -it ghcr.io/opendrr/pygeoapi:pr-20

where "url: https://localhost:5000" is set in the "server" section
in my.config.yml

Fixes #19
---
 docker/entrypoint.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 0bf11f2bf..bd3762284 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -49,6 +49,13 @@ WSGI_WORKERS=${WSGI_WORKERS:=4}
 WSGI_WORKER_TIMEOUT=${WSGI_WORKER_TIMEOUT:=6000}
 WSGI_WORKER_CLASS=${WSGI_WORKER_CLASS:=gevent}
 
+# Set optional SSL certs for Gunicorn to serve HTTPS
+GUNICORN_SSL_OPTIONS=()
+[[ -n $PYGEOAPI_SSL_KEYFILE ]] && GUNICORN_SSL_OPTIONS+=( "--keyfile=${PYGEOAPI_SSL_KEYFILE}" )
+[[ -n $PYGEOAPI_SSL_CERTFILE ]] && GUNICORN_SSL_OPTIONS+=( "--certfile=${PYGEOAPI_SSL_CERTFILE}" )
+[[ -n $PYGEOAPI_SSL_VERSION ]] && GUNICORN_SSL_OPTIONS+=( "--ssl-version=${PYGEOAPI_SSL_VERSION}" )
+[[ -n $PYGEOAPI_SSL_CA_CERTS ]] && GUNICORN_SSL_OPTIONS+=( "--ca-certs=${PYGEOAPI_SSL_CA_CERTS}" )
+
 # What to invoke: default is to run gunicorn server
 entry_cmd=${1:-run}
 
@@ -102,11 +109,15 @@ case ${entry_cmd} in
 		[[ "${SCRIPT_NAME}" = '/' ]] && export SCRIPT_NAME="" && echo "make SCRIPT_NAME empty from /"
 
 		echo "Start gunicorn name=${CONTAINER_NAME} on ${CONTAINER_HOST}:${CONTAINER_PORT} with ${WSGI_WORKERS} workers and SCRIPT_NAME=${SCRIPT_NAME}"
+		if ((${#GUNICORN_SSL_OPTIONS[@]})); then
+			echo "with SSL options" "${GUNICORN_SSL_OPTIONS[@]}"
+		fi
 		exec gunicorn --workers ${WSGI_WORKERS} \
 				--worker-class=${WSGI_WORKER_CLASS} \
 				--timeout ${WSGI_WORKER_TIMEOUT} \
 				--name=${CONTAINER_NAME} \
 				--bind ${CONTAINER_HOST}:${CONTAINER_PORT} \
+				"${GUNICORN_SSL_OPTIONS[@]}" \
 				pygeoapi.flask_app:APP
 	  ;;
 	*)