From fd2cf2deadfa8586e253c58feaab450cea234d36 Mon Sep 17 00:00:00 2001
From: tm16-medma <thewind.mom@medma.uni-heidelberg.de>
Date: Thu, 26 Mar 2026 15:41:03 +0100
Subject: [PATCH] Add custom CA file support for OVIS oauth2-proxy in setup
 script and compose file

Enhanced the OVIS setup by introducing support for custom OIDC CA files in the oauth2-proxy configuration. Updated the ovis-compose.yml to include new environment variables and volume mounts for trusted CA certificates. Modified the ovis-setup.sh script to detect and log the presence of custom CA files, ensuring secure communication with OIDC providers.
---
 ccp/modules/ovis-compose.yml |  4 ++++
 ccp/modules/ovis-setup.sh    | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ccp/modules/ovis-compose.yml b/ccp/modules/ovis-compose.yml
index 537812e0..c369ec87 100644
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@@ -6,6 +6,8 @@ services:
     environment:
       - http_proxy=http://forward_proxy:3128
       - https_proxy=http://forward_proxy:3128
+      - OAUTH2_PROXY_USE_SYSTEM_TRUST_STORE=true
+      - OAUTH2_PROXY_PROVIDER_CA_FILES=${OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES}
       - OAUTH2_PROXY_PROVIDER=oidc
       - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
       - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
@@ -27,6 +29,8 @@ services:
       - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_USER_GROUP}
       - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
       - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/etc/bridgehead/trusted-ca-certs:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
diff --git a/ccp/modules/ovis-setup.sh b/ccp/modules/ovis-setup.sh
index fdaf2345..e22fcfaa 100644
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@@ -2,6 +2,21 @@
 
 if [ -n "$ENABLE_OVIS" ]; then
   log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
+  TRUSTED_CA_DIR="/etc/bridgehead/trusted-ca-certs"
+
+  if [ -d "$TRUSTED_CA_DIR" ]; then
+    shopt -s nullglob
+    ca_candidates=("$TRUSTED_CA_DIR"/*.crt "$TRUSTED_CA_DIR"/*.pem)
+    shopt -u nullglob
+
+    if [ ${#ca_candidates[@]} -gt 0 ]; then
+      OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_candidates[*]}")"
+      log INFO "OVIS oauth2-proxy will trust custom OIDC CA files from $TRUSTED_CA_DIR."
+    else
+      log INFO "No custom OIDC CA files (*.crt/*.pem) found in $TRUSTED_CA_DIR; using container system trust store only."
+    fi
+  fi
+
   OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
   add_private_oidc_redirect_url "/oauth2-ovis/callback"
 fi