I want to use chasquid in my cloud environment (k8s) and had a look at the bundled Dockerfile, however, there is an issue:
in entrypoint.sh there is an assumption, that certificates are located inside the Docker container, or created on its filesystem.

However, it's not applicable in my use case: i want the certificates to be managed/renewed by cert-manager and i want just mount them into chasquid's container, but in this case the setfacl logic is not working.

@albertito Can you suggest here something? Should i use my own version of Dockerfile / entrypoint.sh?

Thanks for reporting this!

That's definitely a use case the default Dockerfile should support, so it's a bug.

There's already a bit of logic for this above, based on the $AUTO_CERTS variable. Maybe we should only do setfacl if we've done certbot renew.

The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?

What do you think?

The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?

What do you think?

Sounds good to me. I can adjust file mode of the files mounted to the pod. The only thing i probably need to take care of is an unattended restart of chasquid upon certificate renewal. I think i can manage this by means of writing a small k8s operator which needs to watch on certificate resources. I already did something like this
in my cert-backup-operator, should be no big deal here.

Great! I've submitted 567ad35 to next moving the setfacl inside the conditional that renews the certificate.

Docker images are automatically built by the CI pipeline and uploaded to the gitlab registry and dockerhub, so you should be able to give them a try by using the next image tag.

Please let me know how it goes! Thank you!

The fix was included in chasquid 1.10 (2022-09-02).