Allow development certificates to be provided as secrets rather than (#…

…232) mounts. Co-authored-by: Nigel Banks <[email protected]:w>
Islandora-Devops · Jun 21, 2022 · 2778b47 · 2778b47
1 parent b17bcc9
commit 2778b47
Show file tree

Hide file tree

Showing 10 changed files with 74 additions and 19 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -15,6 +15,7 @@
     },
     "cSpell.words": [
         "binarystorage",
+        "CAROOT",
         "catchable",
         "classpath",
         "Confd",
@@ -25,6 +26,7 @@
         "getenv",
         "islandora",
         "KEEPALIVE",
+        "mkcert",
         "MODESHAPE",
         "nativeplatform",
         "nocopy",

diff --git a/base/Dockerfile b/base/Dockerfile
@@ -72,10 +72,11 @@ ENV \
     S6_LOGGING=0 \
     TERM=xterm
 
-# JWT_PUBLIC_KEY and JWT_PRIVATE_KEY are defined in /etc/defaults
-# As Docker does not support setting multiline environment variables via ENV.
-# The 'DB' environment variables can be overridden by prefixing it with the image
-# name i.e. `FCREPO_DB_NAME` would override the value for `DB_NAME`.
+# CERT_AUTHORITY and CERT_PUBLIC as well as JWT_PUBLIC_KEY and JWT_PRIVATE_KEY
+# are defined in /etc/defaults. As Docker does not support setting multiline
+# environment variables via ENV. The 'DB' environment variables can be
+# overridden by prefixing it with the image name i.e. `FCREPO_DB_NAME` would
+# override the value for `DB_NAME`.
 ENV \ 
     DB_DRIVER=mysql \
     DB_HOST= \

diff --git a/base/README.md b/base/README.md
@@ -16,21 +16,56 @@ Requires `alpine`
 The following environment variables cannot be provided by [confd] as they drive
 it's configuration, they must be set on each container as environment variables.
 
-| Environment Variable    | Default                                     | Description                                                                                             |
-| :---------------------- | :------------------------------------------ | :------------------------------------------------------------------------------------------------------ |
-| CERTIFICATE             | /usr/local/share/ca-certificates/cert.pem   | Allows for bind mounted development certificates to registered with the system so that curl, etc works. |
-| CERTIFICATE_AUTHORITY   | /usr/local/share/ca-certificates/rootCA.pem | Allows for bind mounted development certificate authority to registered with the java.                  |
-| CONFD_BACKEND           | env                                         | The backend to use for `confd` only `env`, and `etcd` are supported at the moment                       |
-| CONFD_ENABLE_SERVICE    | false                                       | If `true` confd will run continuously rather than just on startup.                                      |
-| CONFD_LOG_LEVEL         | error                                       | The log level to use when executing `confd`                                                             |
-| CONFD_POLLING_INTERVAL  | 30                                          | Time in seconds between runs of `confd` when enabled as a service                                       |
-| ETCD_CONNECTION_TIMEOUT | 0                                           | Timeout to wait for a connection to etcd                                                                |
-| ETCD_HOST               | etcd                                        | The host where etcd, can be found                                                                       |
-| ETCD_PORT               | 2379                                        | The port where etcd can be accessed                                                                     |
+| Environment Variable    | Default | Description                                                                       |
+| :---------------------- | :------ | :-------------------------------------------------------------------------------- |
+| CONFD_BACKEND           | env     | The backend to use for `confd` only `env`, and `etcd` are supported at the moment |
+| CONFD_ENABLE_SERVICE    | false   | If `true` confd will run continuously rather than just on startup.                |
+| CONFD_LOG_LEVEL         | error   | The log level to use when executing `confd`                                       |
+| CONFD_POLLING_INTERVAL  | 30      | Time in seconds between runs of `confd` when enabled as a service                 |
+| ETCD_CONNECTION_TIMEOUT | 0       | Timeout to wait for a connection to etcd                                          |
+| ETCD_HOST               | etcd    | The host where etcd, can be found                                                 |
+| ETCD_PORT               | 2379    | The port where etcd can be accessed                                               |
 
 Users do not require [etcd] to run the containers, environment variables can be
 used instead for simplicity.
 
+### Certificate Settings
+
+If using development certificates for local development, they can be made
+available within the containers using the following environment variables.
+
+| Environment Variable | Default | Description                                                                                                                                                  |
+| :------------------- | :------ | :----------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CERT_PUBLIC_KEY      |         | Primarily used for development. If provided the certificate will be registered inside of the container such that curl, etc accepts the certificate as valid. |
+| CERT_AUTHORITY       |         | Primarily used for development. If provided the authority is registered with the java, so that requests originating from Java accept the public certificate. |
+
+For example if generating certificates locally with [mkcert] for local
+development, and using `islandora.dev` as the primary domain.
+
+> N.B `islandora.dev` just redirects back to `127.0.0.1`.
+
+```bash
+mkcert -install
+mkcert \
+  -cert-file cert.pem \
+  -key-file privkey.pem \
+  "*.islandora.dev" \
+  "islandora.dev" \
+  "localhost" \
+  "127.0.0.1" \
+  "::1"
+```
+
+This will generate `cert.pem` which can be use as `CERT_PUBLIC_KEY` and
+`rootCA.pem` can be used for `CERT_AUTHORITY`. `rootCA.pem` can be found at the
+path printed by using the command `mkcert -CAROOT`.
+
+Now requests originating within the container will accept the development
+certificate as geniune.
+
+> N.B. This is not required for production sites or certificates that are
+> publically available.
+
 ### JWT Settings
 
 Many services that connect to Drupal / Fedora authenticate via JWT. Please see
@@ -90,5 +125,6 @@ and `DB_MYSQL_PORT` variables will be used when connecting to the backend.
 [confd]: https://github.com/kelseyhightower/confd
 [etcd]: https://github.com/etcd-io/etcd
 [JWT Authentication]: https://islandora.github.io/documentation/technical-documentation/jwt/
+[mkcert]: https://github.com/FiloSottile/mkcert
 [s6 overlay]: https://github.com/just-containers/s6-overlay
-[Syn]: https://github.com/Islandora/Syn
+[Syn]: https://github.com/Islandora/Syn
diff --git a/base/rootfs/etc/confd/conf.d/cert.pem.toml b/base/rootfs/etc/confd/conf.d/cert.pem.toml
@@ -0,0 +1,7 @@
+[template]
+src = "cert.pem.tmpl"
+dest = "/usr/local/share/ca-certificates/cert.pem"
+uid = 0
+gid = 0
+mode = "0644"
+keys = [ "/" ]
diff --git a/base/rootfs/etc/confd/conf.d/rootCA.pem.toml b/base/rootfs/etc/confd/conf.d/rootCA.pem.toml
@@ -0,0 +1,7 @@
+[template]
+src = "rootCA.pem.tmpl"
+dest = "/usr/local/share/ca-certificates/rootCA.pem"
+uid = 0
+gid = 0
+mode = "0644"
+keys = [ "/" ]
diff --git a/base/rootfs/etc/confd/templates/cert.pem.tmpl b/base/rootfs/etc/confd/templates/cert.pem.tmpl
@@ -0,0 +1 @@
+{{ getenv "CERT_PUBLIC_KEY" }}
diff --git a/base/rootfs/etc/confd/templates/rootCA.pem.tmpl b/base/rootfs/etc/confd/templates/rootCA.pem.tmpl
@@ -0,0 +1 @@
+{{ getenv "CERT_AUTHORITY" }}
diff --git a/...ootfs/etc/cont-init.d/01-cacert-import.sh → ...ootfs/etc/cont-init.d/02-cacert-import.sh b/...ootfs/etc/cont-init.d/01-cacert-import.sh → ...ootfs/etc/cont-init.d/02-cacert-import.sh
@@ -3,20 +3,20 @@
 set -e
 
 # Install the bind-mounted certificate if present.
-if [[ -f "${CERTIFICATE}" ]]; then
+if [[ -s "/usr/local/share/ca-certificates/cert.pem" ]]; then
   update-ca-certificates
 fi
 
 # Import into the java certificate store if java is installed.
 # And the CA pem file exists.
-if [[ -f "${CERTIFICATE_AUTHORITY}" ]]; then
+if [[ -s "/usr/local/share/ca-certificates/rootCA.pem" ]]; then
   if hash keytool; then
     keytool \
       -importcert \
       -noprompt \
       -keystore /usr/lib/jvm/default-jvm/jre/lib/security/cacerts \
       -storepass changeit \
-      -file "${CERTIFICATE_AUTHORITY}" \
+      -file "/usr/local/share/ca-certificates/rootCA.pem" \
       -alias islandora
   fi
 fi
diff --git a/base/rootfs/etc/defaults/CERT_AUTHORITY b/base/rootfs/etc/defaults/CERT_AUTHORITY
diff --git a/base/rootfs/etc/defaults/CERT_PUBLIC_KEY b/base/rootfs/etc/defaults/CERT_PUBLIC_KEY