From 8d523797718f61e96ecd521fbd8d840eb877ec27 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 17 Aug 2021 17:17:28 -0700
Subject: [PATCH 1/4] New Dockerfile with entrypoint script for easy CA init

---
 docker/Dockerfile.step-ca |  3 +++
 docker/entrypoint.sh      | 52 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 docker/entrypoint.sh

diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
index 4a1908d6..9363b6ae 100644
--- a/docker/Dockerfile.step-ca
+++ b/docker/Dockerfile.step-ca
@@ -24,4 +24,7 @@ VOLUME ["/home/step"]
 STOPSIGNAL SIGTERM
 HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
 
+COPY docker/entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100644
index 00000000..f3e51705
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -eo pipefail
+
+# Paraphrased from:
+# https://github.com/influxdata/influxdata-docker/blob/0d341f18067c4652dfa8df7dcb24d69bf707363d/influxdb/2.0/entrypoint.sh
+# (a repo with no LICENSE.md)
+
+export STEPPATH=$(step path)
+
+# List of env vars required for step ca init
+declare -ra REQUIRED_INIT_VARS=(DOCKER_STEPCA_INIT_NAME DOCKER_STEPCA_INIT_DNS DOCKER_STEPCA_INIT_EMAIL DOCKER_STEPCA_INIT_PASSWORD)
+
+# optional:
+# DOCKER_STEPCA_INIT_SSH (boolean default false)
+
+# Ensure all env vars required to run step ca init are set.
+function init_if_possible () {
+    local missing_vars=0
+    for var in "${REQUIRED_INIT_VARS[@]}"; do
+        if [ -z "${!var}" ]; then
+            missing_vars=1
+        fi
+    done
+    if [ ${missing_vars} = 1 ]; then
+		>&2 echo "there is no ca.json config file; please run step ca init, or provide config parameters via DOCKER_STEPCA_INIT_ vars"
+    else
+        step_ca_init "${@}"
+    fi
+}
+
+# Initialize a CA if not already initialized
+function step_ca_init () {
+    echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
+    local -a setup_args=(
+        --name "${DOCKER_STEPCA_INIT_NAME}"
+		--dns "${DOCKER_STEPCA_INIT_DNS}"
+		--provisioner "${DOCKER_STEPCA_INIT_EMAIL}"
+		--password-file "${STEPPATH}/password"
+        --address ":9000"
+    )
+    if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then
+        setup_args=("${setup_args[@]}" --ssh)
+    fi
+    step ca init "${setup_args[@]}"
+    mv $STEPPATH/password $PWDPATH
+}
+
+if [ ! -f "${STEPPATH}/config/ca.json" ]; then
+	init_if_possible
+fi
+
+exec "${@}"
\ No newline at end of file

From 7ab26c830365bb717fc2e7a41f9bd21f9c86d5c4 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 18 Aug 2021 11:09:26 -0700
Subject: [PATCH 2/4] Auto-generate password by default

---
 docker/entrypoint.sh | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index f3e51705..583e2e97 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -8,10 +8,11 @@ set -eo pipefail
 export STEPPATH=$(step path)
 
 # List of env vars required for step ca init
-declare -ra REQUIRED_INIT_VARS=(DOCKER_STEPCA_INIT_NAME DOCKER_STEPCA_INIT_DNS DOCKER_STEPCA_INIT_EMAIL DOCKER_STEPCA_INIT_PASSWORD)
+declare -ra REQUIRED_INIT_VARS=(DOCKER_STEPCA_INIT_NAME DOCKER_STEPCA_INIT_DNS DOCKER_STEPCA_INIT_EMAIL)
 
 # optional:
-# DOCKER_STEPCA_INIT_SSH (boolean default false)
+# DOCKER_STEPCA_INIT_PASSWORD (initial CA password)
+# DOCKER_STEPCA_INIT_SSH (boolean: given a non-empty value, create an SSH CA)
 
 # Ensure all env vars required to run step ca init are set.
 function init_if_possible () {
@@ -28,9 +29,19 @@ function init_if_possible () {
     fi
 }
 
+function generate_password () {
+    set +o pipefail
+    < /dev/urandom tr -dc A-Za-z0-9 | head -c40
+    set -o pipefail
+}
+
 # Initialize a CA if not already initialized
 function step_ca_init () {
-    echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
+    if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
+        echo -n "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
+    else
+        generate_password > "${STEPPATH}/password"
+    fi
     local -a setup_args=(
         --name "${DOCKER_STEPCA_INIT_NAME}"
 		--dns "${DOCKER_STEPCA_INIT_DNS}"

From bc63829111dbcb6ada9a776c71c84deaa5187754 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 18 Aug 2021 11:11:05 -0700
Subject: [PATCH 3/4] Auto-generate password by default

---
 docker/entrypoint.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 583e2e97..a6d29768 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -37,11 +37,6 @@ function generate_password () {
 
 # Initialize a CA if not already initialized
 function step_ca_init () {
-    if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
-        echo -n "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
-    else
-        generate_password > "${STEPPATH}/password"
-    fi
     local -a setup_args=(
         --name "${DOCKER_STEPCA_INIT_NAME}"
 		--dns "${DOCKER_STEPCA_INIT_DNS}"
@@ -49,6 +44,11 @@ function step_ca_init () {
 		--password-file "${STEPPATH}/password"
         --address ":9000"
     )
+    if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
+        echo -n "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
+    else
+        generate_password > "${STEPPATH}/password"
+    fi
     if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then
         setup_args=("${setup_args[@]}" --ssh)
     fi

From 4e8e4c638ecc6ee2437a43a5fc7e3b5b3821deb4 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 18 Aug 2021 12:50:14 -0700
Subject: [PATCH 4/4] Add newline to password file for readabiliy

---
 docker/entrypoint.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index a6d29768..eb764bd4 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -32,6 +32,7 @@ function init_if_possible () {
 function generate_password () {
     set +o pipefail
     < /dev/urandom tr -dc A-Za-z0-9 | head -c40
+    echo
     set -o pipefail
 }
 
@@ -45,7 +46,7 @@ function step_ca_init () {
         --address ":9000"
     )
     if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
-        echo -n "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
+        echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
     else
         generate_password > "${STEPPATH}/password"
     fi