Skip to content

Feature/ssl verify #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 5, 2015
Merged

Feature/ssl verify #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e5fb524
launch: add SSL verification
BrianHicks May 5, 2015
0a8fde9
README: add SSL note
BrianHicks May 5, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ MAINTAINER Steven Borrelli <steve@aster.is>

ENV CONSUL_TEMPLATE_VERSION=0.8.0

RUN apk-install bash nginx
RUN apk-install bash nginx ca-certificates

ADD https://github.com/hashicorp/consul-template/releases/download/v${CONSUL_TEMPLATE_VERSION}/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz /

Expand Down
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,10 @@ docker run -v /my/ssl/loc:/etc/nginx/ssl ...
docker run -v /my/ssl/loc:/etc/nginx/ssl -d --net=host -e CONSUL_CONNECT=localhost:8500 --name nginx-proxy nginx

```

## SSL

If you have an SSL root certificate that you need to trust to connect to Consul,
mount a volume containing the PEM at `/usr/local/share/ca-certificates`
(preferable read-only). The container will pick up the certificates and enable
the relevant Consul flags at runtime.
19 changes: 15 additions & 4 deletions launch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

set -e
set -e
#set the DEBUG env variable to turn on debugging
[[ -n "$DEBUG" ]] && set -x

Expand All @@ -15,6 +15,17 @@ CONSUL_MINWAIT=${CONSUL_MINWAIT:-2s}
CONSUL_MAXWAIT=${CONSUL_MAXWAIT:-10s}
CONSUL_LOGLEVEL=${CONSUL_LOGLEVEL:-debug}

# set up SSL
if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
CONSUL_SSL="-ssl"
# normally we'd use update-ca-certificates, but something about running it in
# Alpine is off, and the certs don't get added. Fortunately, we only need to
# add ca-certificates to the global store and it's all plain text.
cat /usr/local/share/ca-certificates/* >> /etc/ssl/certs/ca-certificates.crt
else
CONSUL_SSL=""
fi

function usage {
cat <<USAGE
launch.sh Start a consul-backed nginx instance
Expand All @@ -32,7 +43,7 @@ Nginx vars:
(default not set)

Consul-template variables:
CONSUL_TEMPLATE Location of consul-template bin
CONSUL_TEMPLATE Location of consul-template bin
(default /usr/local/bin/consul-template)


Expand All @@ -57,14 +68,14 @@ function launch_consul_template {
-wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
-config /consul-template/consul.cfg \
-template /consul-template/nginx.tmpl:/etc/nginx/nginx.conf \
-consul ${CONSUL_CONNECT} ${nginx_auth} -once ${vars}
-consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} -once ${vars}
/nginx-run.sh
else
echo "Starting consul template..."
exec ${CONSUL_TEMPLATE} -log-level ${CONSUL_LOGLEVEL} \
-wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
-config /consul-template/consul.cfg \
-consul ${CONSUL_CONNECT} ${nginx_auth} ${vars}
-consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} ${vars}
fi
}

Expand Down