From e5fb524b701b6e80ec26d1074b021b6e5cb70858 Mon Sep 17 00:00:00 2001
From: Brian Hicks <brian@brianthicks.com>
Date: Tue, 5 May 2015 07:41:06 -0500
Subject: [PATCH 1/2] launch: add SSL verification

---
 Dockerfile |  2 +-
 launch.sh  | 19 +++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0aeea57..bcccdab 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ MAINTAINER Steven Borrelli <steve@aster.is>
 
 ENV CONSUL_TEMPLATE_VERSION=0.8.0
 
-RUN apk-install bash nginx
+RUN apk-install bash nginx ca-certificates
 
 ADD https://github.com/hashicorp/consul-template/releases/download/v${CONSUL_TEMPLATE_VERSION}/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz /
 
diff --git a/launch.sh b/launch.sh
index c31fe46..74462e3 100755
--- a/launch.sh
+++ b/launch.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -e 
+set -e
 #set the DEBUG env variable to turn on debugging
 [[ -n "$DEBUG" ]] && set -x
 
@@ -15,6 +15,17 @@ CONSUL_MINWAIT=${CONSUL_MINWAIT:-2s}
 CONSUL_MAXWAIT=${CONSUL_MAXWAIT:-10s}
 CONSUL_LOGLEVEL=${CONSUL_LOGLEVEL:-debug}
 
+# set up SSL
+if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
+  CONSUL_SSL="-ssl"
+  # normally we'd use update-ca-certificates, but something about running it in
+  # Alpine is off, and the certs don't get added. Fortunately, we only need to
+  # add ca-certificates to the global store and it's all plain text.
+  cat /usr/local/share/ca-certificates/* >> /etc/ssl/certs/ca-certificates.crt
+else
+  CONSUL_SSL=""
+fi
+
 function usage {
 cat <<USAGE
   launch.sh             Start a consul-backed nginx instance
@@ -32,7 +43,7 @@ Nginx vars:
                         (default not set)
 
 Consul-template variables:
-  CONSUL_TEMPLATE       Location of consul-template bin 
+  CONSUL_TEMPLATE       Location of consul-template bin
                         (default /usr/local/bin/consul-template)
 
 
@@ -57,14 +68,14 @@ function launch_consul_template {
                        -wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
                        -config /consul-template/consul.cfg \
                        -template /consul-template/nginx.tmpl:/etc/nginx/nginx.conf \
-                       -consul ${CONSUL_CONNECT} ${nginx_auth} -once ${vars}
+                       -consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} -once ${vars}
     /nginx-run.sh
   else
     echo "Starting consul template..."
     exec ${CONSUL_TEMPLATE} -log-level ${CONSUL_LOGLEVEL} \
                        -wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
                        -config /consul-template/consul.cfg \
-                       -consul ${CONSUL_CONNECT} ${nginx_auth} ${vars} 
+                       -consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} ${vars}
   fi
 }
 

From 0a8fde975b658606d1d37eb627d03aaff87d1542 Mon Sep 17 00:00:00 2001
From: Brian Hicks <brian@brianthicks.com>
Date: Tue, 5 May 2015 07:43:40 -0500
Subject: [PATCH 2/2] README: add SSL note

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 9f50315..b5673e6 100644
--- a/README.md
+++ b/README.md
@@ -17,3 +17,10 @@ docker run -v /my/ssl/loc:/etc/nginx/ssl ...
 docker run -v /my/ssl/loc:/etc/nginx/ssl -d --net=host  -e CONSUL_CONNECT=localhost:8500 --name nginx-proxy nginx
 
 ```
+
+## SSL
+
+If you have an SSL root certificate that you need to trust to connect to Consul,
+mount a volume containing the PEM at `/usr/local/share/ca-certificates`
+(preferable read-only). The container will pick up the certificates and enable
+the relevant Consul flags at runtime.