Skip to content

Commit

Permalink
Merge pull request #825 from strukturag/additional-ca-certificates
Browse files Browse the repository at this point in the history
docker: Support adding CA certificates to system trust store.
  • Loading branch information
fancycode authored Oct 9, 2024
2 parents 7b0c1af + 8795e8b commit bac83ab
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 10 deletions.
2 changes: 2 additions & 0 deletions docker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ The running container can be configured through different environment variables:
- `GRPC_ETCD`: Set to `1` if etcd should be used to configure GRPC peers.
- `GRPC_TARGET_PREFIX`: Key prefix of GRPC target entries.
- `SKIP_VERIFY`: Set to `true` to skip certificate validation of backends and proxy servers. This should only be enabled during development, e.g. to work with self-signed certificates.
- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.

Example with two backends:

Expand Down Expand Up @@ -120,6 +121,7 @@ The running container can be configured through different environment variables:
- `TOKEN_KEY_FORMAT`: Format of key name to retrieve the public key from, "%s" will be replaced with the token id.
- `TOKENS`: Space-separated list of token ids.
- `TOKEN_<ID>_KEY`: Filename of public key for token `ID` (where `ID` is the uppercase token id).
- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.

Example with two tokens:

Expand Down
5 changes: 1 addition & 4 deletions docker/proxy/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,14 @@ FROM alpine:3

ENV CONFIG=/config/proxy.conf
RUN adduser -D spreedbackend && \
apk add --no-cache bash tzdata ca-certificates
apk add --no-cache bash tzdata ca-certificates su-exec

COPY --from=builder /workdir/bin/proxy /usr/bin/nextcloud-spreed-signaling-proxy
COPY ./proxy.conf.in /config/proxy.conf.in
COPY ./docker/proxy/entrypoint.sh /
COPY ./docker/proxy/stop.sh /
COPY ./docker/proxy/wait.sh /
RUN chown spreedbackend /config
RUN /usr/bin/nextcloud-spreed-signaling-proxy -version

USER spreedbackend

STOPSIGNAL SIGUSR1
ENTRYPOINT [ "/entrypoint.sh" ]
8 changes: 7 additions & 1 deletion docker/proxy/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -131,5 +131,11 @@ if [ ! -f "$CONFIG" ]; then
fi
fi

if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
update-ca-certificates
fi

echo "Starting signaling proxy with $CONFIG ..."
exec /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"
exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"
5 changes: 1 addition & 4 deletions docker/server/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,14 @@ FROM alpine:3

ENV CONFIG=/config/server.conf
RUN adduser -D spreedbackend && \
apk add --no-cache bash tzdata ca-certificates
apk add --no-cache bash tzdata ca-certificates su-exec

COPY --from=builder /workdir/bin/signaling /usr/bin/nextcloud-spreed-signaling
COPY ./server.conf.in /config/server.conf.in
COPY ./docker/server/entrypoint.sh /
COPY ./docker/server/stop.sh /
COPY ./docker/server/wait.sh /
RUN chown spreedbackend /config
RUN /usr/bin/nextcloud-spreed-signaling -version

USER spreedbackend

STOPSIGNAL SIGUSR1
ENTRYPOINT [ "/entrypoint.sh" ]
8 changes: 7 additions & 1 deletion docker/server/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -269,5 +269,11 @@ if [ ! -f "$CONFIG" ]; then
fi
fi

if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
update-ca-certificates
fi

echo "Starting signaling server with $CONFIG ..."
exec /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"
exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"

0 comments on commit bac83ab

Please sign in to comment.