From c98460b3ee8dc3fb8268d0b80d19017842f73e21 Mon Sep 17 00:00:00 2001 From: anhefti Date: Fri, 6 Sep 2019 11:33:53 +0200 Subject: [PATCH] prod without passwords in ENV's --- .../standalone/selfsigned/certs.Dockerfile | 19 ++++++++++--------- .../standalone/selfsigned/config/.gitignore | 2 ++ .../standalone/selfsigned/docker-compose.yml | 9 +++------ .../selfsigned/sebserver.Dockerfile | 13 ++++++------- 4 files changed, 21 insertions(+), 22 deletions(-) diff --git a/docker/prod/standalone/selfsigned/certs.Dockerfile b/docker/prod/standalone/selfsigned/certs.Dockerfile index 35c0e0df..ab88253c 100644 --- a/docker/prod/standalone/selfsigned/certs.Dockerfile +++ b/docker/prod/standalone/selfsigned/certs.Dockerfile @@ -7,12 +7,13 @@ ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=localhost" ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=localhost" ENV ADDITIONAL_DNS="dns:localhost,dns:127.0.0.1,dns:seb-server" -ENV KEYSTORE_PWD= VOLUME /certs WORKDIR /certs -CMD openssl genrsa -out ca-key.pem 2048 \ +CMD secret=$(cat /config/secret) \ + && echo ${secret} \ + && openssl genrsa -out ca-key.pem 2048 \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ && openssl rsa -in server-key.pem -out server-key.pem \ @@ -21,10 +22,10 @@ CMD openssl genrsa -out ca-key.pem 2048 \ && openssl rsa -in client-key.pem -out client-key.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ - && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ - && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \ - && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ - && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ - && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ - && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ - && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ \ No newline at end of file + && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:${secret} \ + && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass ${secret} -validity 3650 \ + && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass ${secret} -noprompt \ + && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass ${secret} -noprompt \ + && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \ + && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \ + && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \ \ No newline at end of file diff --git a/docker/prod/standalone/selfsigned/config/.gitignore b/docker/prod/standalone/selfsigned/config/.gitignore index 956d4725..6d7210d8 100644 --- a/docker/prod/standalone/selfsigned/config/.gitignore +++ b/docker/prod/standalone/selfsigned/config/.gitignore @@ -1 +1,3 @@ /secrets +/secret +/.secret diff --git a/docker/prod/standalone/selfsigned/docker-compose.yml b/docker/prod/standalone/selfsigned/docker-compose.yml index 13d75edc..a426c5d1 100644 --- a/docker/prod/standalone/selfsigned/docker-compose.yml +++ b/docker/prod/standalone/selfsigned/docker-compose.yml @@ -7,8 +7,7 @@ services: container_name: gencerts volumes: - ./certs:/certs - env_file: - - ./config/secrets + - ./config:/config mariadb: image: "mariadb/server:10.3" @@ -17,8 +16,8 @@ services: - ./config:/etc/mysql/conf.d - ./certs:/etc/mysql/certs - seb-server-mariadb-data:/var/lib/mysql - env_file: - - ./config/secrets + environment: + - MYSQL_ROOT_PASSWORD_FILE=/etc/mysql/conf.d/secret ports: - 3306:3306 networks: @@ -38,8 +37,6 @@ services: volumes: - ./config:/sebserver/config - ./certs:/certs - env_file: - - ./config/secrets environment: - ADDITIONAL_DNS=dns:127.0.0.1,dns:seb-server ports: diff --git a/docker/prod/standalone/selfsigned/sebserver.Dockerfile b/docker/prod/standalone/selfsigned/sebserver.Dockerfile index 0b396f01..42528c9e 100644 --- a/docker/prod/standalone/selfsigned/sebserver.Dockerfile +++ b/docker/prod/standalone/selfsigned/sebserver.Dockerfile @@ -21,14 +21,13 @@ FROM openjdk:11-jre-stretch ARG SEBSERVER_VERSION ENV SEBSERVER_VERSION=${SEBSERVER_VERSION} -ENV KEYSTORE_PWD= -ENV MYSQL_ROOT_PASSWORD= -ENV SEBSERVER_PWD= WORKDIR /sebserver COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver -ENTRYPOINT exec java \ +CMD secret=$(cat /sebserver/config/secret) \ + && echo ${secret} \ + && exec java \ -Xms64M \ -Xmx1G \ # Set this for SSL debunging @@ -42,8 +41,8 @@ ENTRYPOINT exec java \ -jar seb-server-"${SEBSERVER_VERSION}".jar \ --spring.profiles.active=prod \ --spring.config.location=file:/sebserver/config/,classpath:/config/ \ - --sebserver.certs.password="${KEYSTORE_PWD}" \ - --sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \ - --sebserver.password="${SEBSERVER_PWD}" + --sebserver.certs.password="${secret}" \ + --sebserver.mariadb.password="${secret}" \ + --sebserver.password="${secret}" EXPOSE 443 8080 9090 \ No newline at end of file