Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: setfacl step fails when using user-provided certificates #29

Closed
aellwein opened this issue Aug 21, 2022 · 4 comments
Closed

docker: setfacl step fails when using user-provided certificates #29

aellwein opened this issue Aug 21, 2022 · 4 comments
Assignees
@albertito
Labels
bug

Comments

@aellwein
Copy link

I want to use chasquid in my cloud environment (k8s) and had a look at the bundled Dockerfile, however, there is an issue:
in entrypoint.sh there is an assumption, that certificates are located inside the Docker container, or created on its filesystem.

However, it's not applicable in my use case: i want the certificates to be managed/renewed by cert-manager and i want just mount them into chasquid's container, but in this case the setfacl logic is not working.

@albertito Can you suggest here something? Should i use my own version of Dockerfile / entrypoint.sh?
@albertito albertito self-assigned this Aug 21, 2022
@albertito albertito added the bug label Aug 21, 2022
@albertito
Copy link
Owner

Thanks for reporting this!

That's definitely a use case the default Dockerfile should support, so it's a bug.

There's already a bit of logic for this above, based on the $AUTO_CERTS variable. Maybe we should only do setfacl if we've done certbot renew.

The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?

What do you think?

@aellwein
Copy link
Author

aellwein commented Aug 22, 2022
edited

The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?

What do you think?

Sounds good to me. I can adjust file mode of the files mounted to the pod. The only thing i probably need to take care of is an unattended restart of chasquid upon certificate renewal. I think i can manage this by means of writing a small k8s operator which needs to watch on certificate resources. I already did something like this
in my cert-backup-operator, should be no big deal here.

albertito added a commit that referenced this issue Aug 23, 2022
@albertito
docker: Only do setfacl if we issued the certificates
567ad35 
Today, we do setfacl unconditionally; this can be a problem for
user-provided certificates because they may be located somewhere else.

This patch fixes the problem by only doing setfacl after renewing the
certificates.

Externally provided certificates will be untouched, and the user is
responsible for ensuring that chasquid can read them.

Thanks to Alex Ellwein (aellwein@github) for reporting this in
#29!
@albertito
Copy link
Owner

Great! I've submitted 567ad35 to next moving the setfacl inside the conditional that renews the certificate.

Docker images are automatically built by the CI pipeline and uploaded to the gitlab registry and dockerhub, so you should be able to give them a try by using the next image tag.

Please let me know how it goes! Thank you!

@albertito albertito changed the title Question about chasquid's Dockerfile docker: setfacl step fails when using user-provided certificates Aug 27, 2022
@albertito
Copy link
Owner

The fix was included in chasquid 1.10 (2022-09-02).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@albertito albertito

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@albertito @aellwein