diff --git a/README.md b/README.md index 6303ff0fc..3723cb259 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,9 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation [on smallstep.com](https://smallstep.com/docs/step-cli/reference/), or by running `step help --http=:8080` from the command line and visiting http://localhost:8080. +* [Examples](https://github.com/smallstep/certificates/tree/master/examples) including +[Podman](https://github.com/smallstep/certificates/tree/master/examples/podman) & +[Docker](https://github.com/smallstep/certificates/tree/master/examples/docker) ## Feedback? diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 33a14b4d3..8eb4c1c46 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -32,6 +32,13 @@ function generate_password () { set -o pipefail } +function set_password_files () { + local FILE_PATH=$1 + + ln -sf "${FILE_PATH}" "${STEPPATH}/password" + ln -sf "${FILE_PATH}" "${STEPPATH}/provisioner_password" +} + # Initialize a CA if not already initialized function step_ca_init () { DOCKER_STEPCA_INIT_PROVISIONER_NAME="${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" @@ -46,9 +53,8 @@ function step_ca_init () { --provisioner-password-file "${STEPPATH}/provisioner_password" --address "${DOCKER_STEPCA_INIT_ADDRESS}" ) - if [ -n "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then - cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/password" - cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/provisioner_password" + if [ -f "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then + set_password_files "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" elif [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password" echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password" @@ -86,4 +92,8 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then init_if_possible fi +if [ -f "${DOCKER_STEPCA_PASSWORD_FILE}" ]; then + set_password_files "${DOCKER_STEPCA_PASSWORD_FILE}" +fi + exec "${@}" diff --git a/examples/podman/stepca.container.md b/examples/podman/stepca.container.md new file mode 100644 index 000000000..19d5362bb --- /dev/null +++ b/examples/podman/stepca.container.md @@ -0,0 +1,50 @@ +## Example [Podman Quadlet container](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container) file + +* `~/.config/containers/systemd/stepca.container` (rootless) +* `/etc/containers/systemd/stepca.container` (rootful) + +``` +[Unit] +Description=Smallstep Certificate Authority +After=network-online.target + +[Container] +PodmanArgs=--memory 50m --cpus 0.25 +PidsLimit=100 +DropCapability=ALL +NoNewPrivileges=true +AutoUpdate=registry +ContainerName=stepca +Environment=TZ="UTC" +Environment="DOCKER_STEPCA_INIT_NAME=Example CA" +Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.custom.domain,10.89.0.10,localhost,127.0.0.1 +Environment=DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin@custom.domain +Environment=DOCKER_STEPCA_INIT_SSH=true +Environment=DOCKER_STEPCA_INIT_ACME=true +Environment=DOCKER_STEPCA_INIT_PASSWORD_FILE=/run/secrets/stepca +HostName=stepca +Image=docker.io/smallstep/step-ca +PublishPort=10.89.0.10:9000:9000/tcp +PublishPort=127.0.0.1:9000:9000/tcp +Secret=source=stepca,type=mount,uid=1000,gid=1000,mode=400 +Volume=/path/to/volumes/stepca/config:/home/step:Z +DNS=10.89.0.1 +DNSOption=~custom.domain +ReloadSignal=SIGHUP +# Use systemd restart policy +HealthOnFailure=kill +HealthStartPeriod=90s +HealthStartupCmd=sleep 5 +HealthCmd=step ca health +HealthInterval=30m +HealthRetries=3 +HealthTimeout=20s + +[Service] +Restart=always +# Extend Timeout for image pulls +TimeoutStartSec=900 + +[Install] +WantedBy=default.target +``` diff --git a/examples/podman/stepca.run.md b/examples/podman/stepca.run.md new file mode 100644 index 000000000..25279c7cf --- /dev/null +++ b/examples/podman/stepca.run.md @@ -0,0 +1,47 @@ +## Example creation of a Podman container & secret + +* Using a [cryptographically strong secret from `openssl` with an `8192` character `hex` string](https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html#examples) + +see also: + +- [Create a "quadlet"](https://github.com/containers/podlet) +- [examples/podman/stepca.container.md](https://github.com/smallstep/certificates/tree/master/examples/podman/stepca.container.md) + +``` +iface=wt0 # running over Netbird VPN +ctr=stepca +ip=$(ip -f inet addr show $iface | sed -En -e 's/.*inet ([0-9.]+).*/\1/p') +repo=docker.io/smallstep/step-ca +# TPM supported image +# repo=docker.io/smallstep/step-ca:hsm +ca="My CA" +email="admin@custom.domain" +dns="ca.custom.domain,$ip,localhost,127.0.0.1" +volume="${HOME}/volumes/$ctr/config}" + +############### +# auto config # +############### + +bytes=8192 +mkdir -p $volume +openssl rand -hex $bytes | podman secret create --replace $ctr - + +podman run -d --replace \ + --name $ctr \ + --hostname $ctr \ + --secret source=$ctr,type=mount,uid=1000,gid=1000,mode=400 \ + --env "DOCKER_STEPCA_INIT_NAME=$ca" \ + --env "DOCKER_STEPCA_INIT_DNS_NAMES=$dns" \ + --env "DOCKER_STEPCA_INIT_PROVISIONER_NAME=$email" \ + --env "DOCKER_STEPCA_INIT_SSH=true" \ + --env "DOCKER_STEPCA_INIT_ACME=true" \ + --env "DOCKER_STEPCA_PASSWORD_FILE=/run/secrets/$ctr" \ + --cap-drop ALL \ + --restart always \ + --label "io.containers.autoupdate=registry" \ + -v $volume:/home/step:Z \ +$repo +``` + +* Running the container with `--privileged` should only be needed to [configure a TPM](https://smallstep.com/blog/trusted-platform-modules-tpms/).