osixia/cfssl-multirootca

Latest release: 0.3.1 - cfssl multirootca 1.4.1 - Changelog | Docker Hub 

A docker image to run cfssl multirootca tool.

https://github.com/cloudflare/cfssl

• osixia/cfssl-multirootca
  • Beginner Guide
    • Use your own config
    • HTTPS
      • Use autogenerated certificate
      • Use your own certificate
    • Fix docker mounted file problems
    • Debug
  • Environment Variables
    • Set your own environment variables
      • Use command line argument
      • Link environment file
      • Make your own image or extend this image
  • Advanced User Guide
    • Extend osixia/cfssl-multirootca:0.3.1 image
    • Make your own cfssl-multirootca image
    • Tests
    • Under the hood: osixia/light-baseimage
  • Changelog

Beginner Guide

Use your own config

This image comes with a roots config file that can be easily customized via environment variables for a quick bootstrap, but setting your own roots.conf is possible. 2 options:

• Link your config file at run time to /container/service/multirootca/assets/roots.conf and the corresponding needed files to /container/service/multirootca/assets/files:

  docker run --volume /data/my-roots.conf:/container/service/multirootca/assets/roots.conf --volume /data/files:/container/service/multirootca/assets/files --detach osixia/multirootca:0.2.0
  

• Add your config file by extending or cloning this image, please refer to the Advanced User Guide

HTTPS

By default HTTPS is disable.

Use autogenerated certificate

Add --env CFSSL_MUTLTIROOTCA_HTTPS=true to run command then a certificate is created with the container hostname (it can be set by docker run --hostname option eg: pki.my-company.com).

docker run --env CFSSL_MUTLTIROOTCA_HTTPS=true --hostname pki.my-company.com --detach osixia/cfssl-multirootca:0.3.1

Use your own certificate

You can set your custom certificate at run time, add --env CFSSL_MUTLTIROOTCA_HTTPS=true, mount a directory containing those files to /container/service/multirootca/assets/certs and adjust their name with the following environment variables:

	docker run --env CFSSL_MUTLTIROOTCA_HTTPS=true \
	--volume /path/to/certifates:/container/service/multirootca/assets/certs \
	--env CFSSL_MUTLTIROOTCA_HTTPS_CRT_FILENAME=my.crt \
	--env CFSSL_MUTLTIROOTCA_HTTPS_KEY_FILENAME=my.key \
	--detach osixia/cfssl-multirootca:0.3.1

Other solutions are available please refer to the Advanced User Guide

Fix docker mounted file problems

You may have some problems with mounted files on some systems. The startup script try to make some file adjustment and fix files owner and permissions, this can result in multiple errors. See Docker documentation.

To fix that run the container with --copy-service argument :

	docker run [your options] osixia/cfssl-multirootca:0.3.1 --copy-service

Debug

The container default log level is info. Available levels are: none, error, warning, info, debug and trace.

Example command to run the container in debug mode:

docker run --detach osixia/cfssl-multirootca:0.3.1 --loglevel debug

See all command line options:

docker run osixia/cfssl-multirootca:0.3.1 --help

Environment Variables

Environment variables defaults are set in image/environment/default.yaml

See how to set your own environment variables

• CFSSL_MULTIROOTCA_ROOTS: Set multirootca config. Defaults to :

  - primary:
    - private: file://testdata/server.key
    - certificate: testdata/server.crt
    - config: testdata/config.json
    - nets: 10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32
  - backup:
    - private: file://testdata/server.key
    - certificate: testdata/server.crt
    - config: testdata/config.json

  This will be converted in the roots.conf file to :

  [ primary ]
  private = file://testdata/server.key
  certificate = testdata/server.crt
  config = testdata/config.json
  nets = 10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32
  [ backup ]
  private = file://testdata/server.key
  certificate = testdata/server.crt
  config = testdata/config.json
  

  All config are possible just add the needed entries.

  If you want to set this variable at docker run command add the tag #PYTHON2BASH: and convert the yaml in python:

    docker run --env CFSSL_MULTIROOTCA_ROOTS="#PYTHON2BASH:[{'primary':[{'private':'file://testdata/server.key'},{'certificate':'testdata/server.crt'},{'config': 'testdata/config.json'},{'nets': '10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32'}]},{'backup': [{'private': 'file://testdata/server.key'},{'certificate': 'testdata/server.crt'},{'config':'testdata/config.json'}]" --detach osixia/cfssl-multirootca:0.3.1
  

  To convert yaml to python online: http://yaml-online-parser.appspot.com/

• CFSSL_MULTIROOTCA_CMD_ARGS: multirootca command arguments default. Defaults to -l primary -loglevel 1

HTTPS :

• CFSSL_MUTLTIROOTCA_HTTPS: Use https. Defaults to false
• CFSSL_MUTLTIROOTCA_HTTPS_CRT_FILENAME: SSL certificate filename. Defaults to cfssl-mutlirootca.crt
• CFSSL_MUTLTIROOTCA_HTTPS_KEY_FILENAME: SSL certificate private key filename. Defaults to cfssl-mutlirootca.key

Other configuration:

• CFSSL_MULTIROOTCA_SSL_HELPER_PREFIX: ssl-helper environment variables prefix. Defaults to multirootca, ssl-helper first search config from MUTLTIROOTCA_SSL_HELPER_* variables, before SSL_HELPER_* variables.

Set your own environment variables

Use command line argument

Environment variables can be set by adding the --env argument in the command line, for example:

docker run --env CFSSL_MUTLTIROOTCA_HTTPS="true" \
--detach osixia/cfssl-multirootca:0.3.1

Link environment file

For example if your environment file is in : /data/environment/my-env.yaml

docker run --volume /data/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
--detach osixia/cfssl-multirootca:0.3.1

Take care to link your environment file to /container/environment/XX-somedir (with XX < 99 so they will be processed before default environment files) and not directly to /container/environment because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).

Make your own image or extend this image

This is the best solution if you have a private registry. Please refer to the Advanced User Guide just below.

Advanced User Guide

Extend osixia/cfssl-multirootca:0.3.1 image

If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.

Dockerfile example:

FROM osixia/cfssl-multirootca:0.3.1
MAINTAINER Your Name <your@name.com>

ADD https-certs /container/service/multiroot/assets/certs
ADD ca-files /container/service/multiroot/assets/files
ADD environment /container/environment/01-custom

Make your own cfssl-multirootca image

Clone this project :

git clone https://github.com/osixia/docker-cfssl-multirootca
cd docker-cfssl-multirootca

Adapt Makefile, set your image NAME and VERSION, for example :

NAME = osixia/cfssl-multirootca
VERSION = 0.2.0

becomes :
NAME = billy-the-king/cfssl-multirootca
VERSION = 0.1.0

Add your custom certificate and environment files...

Build your image :

make build

Run your image :

docker run -d billy-the-king/cfssl-multirootca:0.3.1

Tests

We use Bats (Bash Automated Testing System) to test this image:

https://github.com/bats-core/bats-core

Install Bats, and in this project directory run :

make test

Under the hood: osixia/light-baseimage

This image is based on osixia/web-baseimage. More info: https://github.com/osixia/docker-light-baseimage

Changelog

Please refer to: CHANGELOG.md