TrueCloudLab/certificates
16
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Generate and use independent provisioner and private key passwords

Browse source
This commit is contained in:
Carl Tashian 2023-01-09 16:36:00 -08:00
parent ac4d5e63ab
commit 844cfd3bad
No known key found for this signature in database
2 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docker/Dockerfile.step-ca
View file

@ -7,7 +7,6 @@ RUN apk add --no-cache curl git make
RUN make V=1 download RUN make V=1 download
RUN make V=1 bin/step-ca bin/step-awskms-init bin/step-cloudkms-init RUN make V=1 bin/step-ca bin/step-awskms-init bin/step-cloudkms-init
FROM smallstep/step-cli:latest FROM smallstep/step-cli:latest
COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca
@ -20,6 +19,7 @@ USER step
ENV CONFIGPATH="/home/step/config/ca.json" ENV CONFIGPATH="/home/step/config/ca.json"
ENV PWDPATH="/home/step/secrets/password" ENV PWDPATH="/home/step/secrets/password"
ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password"
VOLUME ["/home/step"] VOLUME ["/home/step"]
STOPSIGNAL SIGTERM STOPSIGNAL SIGTERM
@ -28,4 +28,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
COPY docker/entrypoint.sh /entrypoint.sh COPY docker/entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH

12
docker/entrypoint.sh
View file

@ -39,12 +39,12 @@ function step_ca_init () {
--dns "${DOCKER_STEPCA_INIT_DNS_NAMES}" --dns "${DOCKER_STEPCA_INIT_DNS_NAMES}"
--provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
--password-file "${STEPPATH}/password" --password-file "${STEPPATH}/password"
--provisioner-password-file "${STEPPATH}/provisioner_password"
--address ":9000" --address ":9000"
) )
if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password" echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
else echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password"
generate_password > "${STEPPATH}/password"
fi fi
if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then
setup_args=("${setup_args[@]}" --ssh) setup_args=("${setup_args[@]}" --ssh)
@ -67,4 +67,12 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then
init_if_possible init_if_possible
fi fi
if [ ! -f "${STEPPATH}/password" ]; then
generate_password > "${STEPPATH}/password"
fi
if [ ! -f "${STEPPATH}/provisioner_password" ]; then
generate_password > "${STEPPATH}/provisioner_password"
fi
exec "${@}" exec "${@}"