-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
209 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
################# | ||
# Build Step | ||
################# | ||
|
||
FROM golang:latest as build | ||
|
||
# Setup work env | ||
RUN mkdir -p /app/ /tmp/gocode/src/github.com/Cloud-Foundations/keymaster | ||
ADD . /tmp/gocode/src/github.com/Cloud-Foundations/keymaster | ||
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster | ||
|
||
|
||
# Required envs for GO | ||
ENV GOPATH=/tmp/gocode | ||
ENV GOOS=linux | ||
ENV GOARCH=amd64 | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
|
||
# Update and confirm deps | ||
RUN apt-get update && apt-get -y dist-upgrade && apt-get -y install build-essential | ||
|
||
# Install deps | ||
RUN go get -d -v ./... | ||
|
||
## Dirty Hack - Remove when https://github.com/golang/go/issues/37278 is closed | ||
# Compatibility with OpenSSH 8.2 and above | ||
WORKDIR /tmp/gocode/src/golang.org/x/crypto/ | ||
RUN git config user.email "you@example.com" | ||
RUN git config user.name "Your Name" | ||
RUN git pull --no-edit https://go.googlesource.com/crypto refs/changes/37/220037/3 | ||
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster | ||
## Dirty Hack End | ||
|
||
# Build and copy final result | ||
RUN make | ||
|
||
################# | ||
# Run Step | ||
################# | ||
|
||
FROM debian:buster as run | ||
|
||
# Copy binary from build container | ||
COPY --from=build /tmp/gocode/bin/keymasterd /app/keymasterd | ||
COPY --from=build /tmp/gocode/bin/keymaster-unlocker /app/keymaster-unlocker | ||
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/customization_data /usr/share/keymasterd/customization_data | ||
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/static_files /usr/share/keymasterd/static_files | ||
|
||
# Copy docker specific scripts from build container | ||
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/misc/docker/start.sh /app/docker/ | ||
|
||
# Perform update and clear cache | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
RUN apt-get update | ||
RUN apt-get -y --no-install-recommends install procps apache2-utils ca-certificates | ||
RUN apt-get -y install wget | ||
RUN wget https://github.com/Yelp/dumb-init/releases/download/v1.2.3/dumb-init_1.2.3_amd64.deb | ||
RUN dpkg -i dumb-init_1.2.3_amd64.deb | ||
RUN rm -f dumb-init_1.2.3_amd64.deb | ||
RUN apt-get -y --purge autoremove wget | ||
RUN apt-get -y dist-upgrade && rm -rf /var/cache/apt/* | ||
|
||
|
||
# Install init | ||
|
||
# Expose web and LDAP ports | ||
EXPOSE 80 443 6920 | ||
|
||
ENTRYPOINT ["/usr/bin/dumb-init", "--"] | ||
CMD ["/bin/sh", "/app/docker/start.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
# Keymaster in Docker | ||
|
||
## Build | ||
|
||
On a machine with docker installed, pull this source and create the container | ||
|
||
``` | ||
$ git clone https://github.com/Cloud-Foundations/keymaster.git | ||
$ cd keymaster | ||
$ docker build -t local/keymaster . | ||
``` | ||
|
||
## Bootstrap | ||
|
||
Now that you have the local container built, you will need to create keys and a | ||
default config for bootstrapping the server. | ||
|
||
``` | ||
$ cd misc/docker | ||
$ cp env.example .env # Edit this file to set timezone and local dirs | ||
$ . .env | ||
$ docker run --rm -it -v "${KEYMASTER_DATA}/conf/:/etc/keymaster/" -v \ | ||
"${KEYMASTER_DATA}/db/:/var/lib/keymaster/" -e "TZ=${TIMEZONE}" \ | ||
local/keymaster /app/keymasterd -generateConfig | ||
``` | ||
|
||
This will generate a series of prompts. Here's how to answer them. | ||
|
||
|
||
Enter and re-enter your passphrase | ||
|
||
``` | ||
Please enter your passphrase: | ||
Please re-enter your passphrase: | ||
``` | ||
|
||
Due to a bug in config, enter / for Base dir | ||
|
||
``` | ||
Default base Dir[/tmp]:/ | ||
``` | ||
|
||
Leave blank and hit enter for data directory | ||
|
||
``` | ||
Data Directory[//var/lib/keymaster]: | ||
``` | ||
|
||
Enter your public hostname | ||
|
||
``` | ||
HostIdentity[keymaster.DOMAIN]:keymaster.mydomain.com | ||
``` | ||
|
||
Hit enter for the ports and accept the default. | ||
|
||
``` | ||
HttpAddress[:443]: | ||
AdminAddress[:6920]: | ||
``` | ||
|
||
Fix the config issues mentioned in the main README.md | ||
|
||
``` | ||
$ sudo sed -i 's% data_directory:.*% data_directory: "/var/lib/keymaster"%g' \ | ||
${KEYMASTER_DATA}/conf/config.yml | ||
$ sudo sed -i 's% shared_data_directory:.*% shared_data_directory: "/usr/share/keymasterd/"%g' \ | ||
${KEYMASTER_DATA}/conf/config.yml | ||
``` | ||
|
||
## Start | ||
|
||
After bootstrapping configs and keys you just start the container. This will | ||
start it sealed. | ||
|
||
``` | ||
$ docker-compose up -d | ||
``` | ||
|
||
## Unseal | ||
|
||
By default the CA will start in a sealed state. To unseal it you will need to | ||
enter your passphrase. | ||
|
||
``` | ||
$ docker exec -e SSL_CERT_FILE=/etc/keymaster/server.pem -it keymaster \ | ||
/app/keymaster-unlocker -cert /etc/keymaster/adminClient.pem \ | ||
-key /etc/keymaster/adminClient.key -keymasterHostname localhost | ||
Password for unlocking localhost: | ||
OK | ||
``` | ||
|
||
## Add users | ||
|
||
By default a user is created. Let's start by deleting this and creating our own | ||
user. | ||
|
||
``` | ||
$ rm -f ${KEYMASTER_DATA}/conf/passfile.htpass | ||
$ docker exec -it keymaster /usr/bin/htpasswd -B -c \ | ||
/etc/keymaster/passfile.htpass $USERNAME | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# See ../../docs/docker for more info. This will not work without bootstrapping | ||
|
||
version: "2" | ||
|
||
services: | ||
keymaster: | ||
image: "local/keymaster" | ||
container_name: "keymaster" | ||
environment: | ||
- "TZ=${TIMEZONE}" | ||
ports: | ||
- "80:80" | ||
- "443:443" | ||
- "6920:6920" | ||
volumes: | ||
- "${KEYMASTER_DATA}/conf/:/etc/keymaster/" | ||
- "${KEYMASTER_DATA}/db/:/var/lib/keymaster/" | ||
restart: "unless-stopped" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
TIMEZONE=America/Los_Angeles | ||
KEYMASTER_DATA=/srv/docker/keymaster |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/sh | ||
|
||
# Copy config file if it doesn't exist so that the app can start | ||
if [ ! -f /etc/keymaster/config.yml ] ; then | ||
echo "Generate Configs" | ||
exit 1 | ||
fi | ||
|
||
# Run app | ||
/app/keymasterd -config /etc/keymaster/config.yml -alsoLogToStderr | ||
|
||
echo "" | ||
echo "keymasterd has exited." | ||
echo "Exiting." |