Awesome
osixia/cfssl-multirootca
Latest release: 0.3.1 - cfssl multirootca 1.4.1 - Changelog | Docker Hub
A docker image to run cfssl multirootca tool.
Beginner Guide
Use your own config
This image comes with a roots config file that can be easily customized via environment variables for a quick bootstrap, but setting your own roots.conf is possible. 2 options:
-
Link your config file at run time to
/container/service/multirootca/assets/roots.conf
and the corresponding needed files to/container/service/multirootca/assets/files
:docker run --volume /data/my-roots.conf:/container/service/multirootca/assets/roots.conf --volume /data/files:/container/service/multirootca/assets/files --detach osixia/multirootca:0.2.0
-
Add your config file by extending or cloning this image, please refer to the Advanced User Guide
HTTPS
By default HTTPS is disable.
Use autogenerated certificate
Add --env CFSSL_MUTLTIROOTCA_HTTPS=true
to run command then a certificate is created with the container hostname (it can be set by docker run --hostname option eg: pki.my-company.com).
docker run --env CFSSL_MUTLTIROOTCA_HTTPS=true --hostname pki.my-company.com --detach osixia/cfssl-multirootca:0.3.1
Use your own certificate
You can set your custom certificate at run time, add --env CFSSL_MUTLTIROOTCA_HTTPS=true
, mount a directory containing those files to /container/service/multirootca/assets/certs and adjust their name with the following environment variables:
docker run --env CFSSL_MUTLTIROOTCA_HTTPS=true \
--volume /path/to/certifates:/container/service/multirootca/assets/certs \
--env CFSSL_MUTLTIROOTCA_HTTPS_CRT_FILENAME=my.crt \
--env CFSSL_MUTLTIROOTCA_HTTPS_KEY_FILENAME=my.key \
--detach osixia/cfssl-multirootca:0.3.1
Other solutions are available please refer to the Advanced User Guide
Fix docker mounted file problems
You may have some problems with mounted files on some systems. The startup script try to make some file adjustment and fix files owner and permissions, this can result in multiple errors. See Docker documentation.
To fix that run the container with --copy-service
argument :
docker run [your options] osixia/cfssl-multirootca:0.3.1 --copy-service
Debug
The container default log level is info.
Available levels are: none
, error
, warning
, info
, debug
and trace
.
Example command to run the container in debug
mode:
docker run --detach osixia/cfssl-multirootca:0.3.1 --loglevel debug
See all command line options:
docker run osixia/cfssl-multirootca:0.3.1 --help
Environment Variables
Environment variables defaults are set in image/environment/default.yaml
See how to set your own environment variables
-
CFSSL_MULTIROOTCA_ROOTS: Set multirootca config. Defaults to :
- primary: - private: file://testdata/server.key - certificate: testdata/server.crt - config: testdata/config.json - nets: 10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32 - backup: - private: file://testdata/server.key - certificate: testdata/server.crt - config: testdata/config.json
This will be converted in the roots.conf file to :
[ primary ] private = file://testdata/server.key certificate = testdata/server.crt config = testdata/config.json nets = 10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32 [ backup ] private = file://testdata/server.key certificate = testdata/server.crt config = testdata/config.json
All config are possible just add the needed entries.
If you want to set this variable at docker run command add the tag
#PYTHON2BASH:
and convert the yaml in python:docker run --env CFSSL_MULTIROOTCA_ROOTS="#PYTHON2BASH:[{'primary':[{'private':'file://testdata/server.key'},{'certificate':'testdata/server.crt'},{'config': 'testdata/config.json'},{'nets': '10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32'}]},{'backup': [{'private': 'file://testdata/server.key'},{'certificate': 'testdata/server.crt'},{'config':'testdata/config.json'}]" --detach osixia/cfssl-multirootca:0.3.1
To convert yaml to python online: http://yaml-online-parser.appspot.com/
-
CFSSL_MULTIROOTCA_CMD_ARGS: multirootca command arguments default. Defaults to
-l primary -loglevel 1
HTTPS :
- CFSSL_MUTLTIROOTCA_HTTPS: Use https. Defaults to
false
- CFSSL_MUTLTIROOTCA_HTTPS_CRT_FILENAME: SSL certificate filename. Defaults to
cfssl-mutlirootca.crt
- CFSSL_MUTLTIROOTCA_HTTPS_KEY_FILENAME: SSL certificate private key filename. Defaults to
cfssl-mutlirootca.key
Other configuration:
- CFSSL_MULTIROOTCA_SSL_HELPER_PREFIX: ssl-helper environment variables prefix. Defaults to
multirootca
, ssl-helper first search config from MUTLTIROOTCA_SSL_HELPER_* variables, before SSL_HELPER_* variables.
Set your own environment variables
Use command line argument
Environment variables can be set by adding the --env argument in the command line, for example:
docker run --env CFSSL_MUTLTIROOTCA_HTTPS="true" \
--detach osixia/cfssl-multirootca:0.3.1
Link environment file
For example if your environment file is in : /data/environment/my-env.yaml
docker run --volume /data/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
--detach osixia/cfssl-multirootca:0.3.1
Take care to link your environment file to /container/environment/XX-somedir
(with XX < 99 so they will be processed before default environment files) and not directly to /container/environment
because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).
Make your own image or extend this image
This is the best solution if you have a private registry. Please refer to the Advanced User Guide just below.
Advanced User Guide
Extend osixia/cfssl-multirootca:0.3.1 image
If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.
Dockerfile example:
FROM osixia/cfssl-multirootca:0.3.1
MAINTAINER Your Name <your@name.com>
ADD https-certs /container/service/multiroot/assets/certs
ADD ca-files /container/service/multiroot/assets/files
ADD environment /container/environment/01-custom
Make your own cfssl-multirootca image
Clone this project :
git clone https://github.com/osixia/docker-cfssl-multirootca
cd docker-cfssl-multirootca
Adapt Makefile, set your image NAME and VERSION, for example :
NAME = osixia/cfssl-multirootca
VERSION = 0.2.0
becomes :
NAME = billy-the-king/cfssl-multirootca
VERSION = 0.1.0
Add your custom certificate and environment files...
Build your image :
make build
Run your image :
docker run -d billy-the-king/cfssl-multirootca:0.3.1
Tests
We use Bats (Bash Automated Testing System) to test this image:
Install Bats, and in this project directory run :
make test
Under the hood: osixia/light-baseimage
This image is based on osixia/web-baseimage. More info: https://github.com/osixia/docker-light-baseimage
Changelog
Please refer to: CHANGELOG.md