-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: setfacl step fails when using user-provided certificates #29
Comments
Thanks for reporting this! That's definitely a use case the default Dockerfile should support, so it's a bug. There's already a bit of logic for this above, based on the The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile? What do you think? |
Sounds good to me. I can adjust file mode of the files mounted to the pod. The only thing i probably need to take care of is an unattended restart of chasquid upon certificate renewal. I think i can manage this by means of writing a small k8s operator which needs to watch on certificate resources. I already did something like this |
Today, we do setfacl unconditionally; this can be a problem for user-provided certificates because they may be located somewhere else. This patch fixes the problem by only doing setfacl after renewing the certificates. Externally provided certificates will be untouched, and the user is responsible for ensuring that chasquid can read them. Thanks to Alex Ellwein (aellwein@github) for reporting this in #29!
Great! I've submitted 567ad35 to Docker images are automatically built by the CI pipeline and uploaded to the gitlab registry and dockerhub, so you should be able to give them a try by using the Please let me know how it goes! Thank you! |
The fix was included in chasquid 1.10 (2022-09-02). |
I want to use chasquid in my cloud environment (k8s) and had a look at the bundled Dockerfile, however, there is an issue:
in entrypoint.sh there is an assumption, that certificates are located inside the Docker container, or created on its filesystem.
However, it's not applicable in my use case: i want the certificates to be managed/renewed by cert-manager and i want just mount them into chasquid's container, but in this case the
setfacl
logic is not working.@albertito Can you suggest here something? Should i use my own version of Dockerfile / entrypoint.sh?
The text was updated successfully, but these errors were encountered: