Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,9 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation
[on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
or by running `step help --http=:8080` from the command line
and visiting http://localhost:8080.
* [Examples](https://github.com/smallstep/certificates/tree/master/examples) including
[Podman](https://github.com/smallstep/certificates/tree/master/examples/podman) &
[Docker](https://github.com/smallstep/certificates/tree/master/examples/docker)

## Feedback?

Expand Down
16 changes: 13 additions & 3 deletions docker/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,13 @@ function generate_password () {
set -o pipefail
}

function set_password_files () {
local FILE_PATH=$1

ln -sf "${FILE_PATH}" "${STEPPATH}/password"
ln -sf "${FILE_PATH}" "${STEPPATH}/provisioner_password"
}

# Initialize a CA if not already initialized
function step_ca_init () {
DOCKER_STEPCA_INIT_PROVISIONER_NAME="${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
Expand All @@ -46,9 +53,8 @@ function step_ca_init () {
--provisioner-password-file "${STEPPATH}/provisioner_password"
--address "${DOCKER_STEPCA_INIT_ADDRESS}"
)
if [ -n "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then
cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/password"
cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/provisioner_password"
if [ -f "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then
set_password_files "${DOCKER_STEPCA_INIT_PASSWORD_FILE}"
elif [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password"
Expand Down Expand Up @@ -86,4 +92,8 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then
init_if_possible
fi

if [ -f "${DOCKER_STEPCA_PASSWORD_FILE}" ]; then
set_password_files "${DOCKER_STEPCA_PASSWORD_FILE}"
fi

exec "${@}"
50 changes: 50 additions & 0 deletions examples/podman/stepca.container.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
## Example [Podman Quadlet container](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container) file

* `~/.config/containers/systemd/stepca.container` (rootless)
* `/etc/containers/systemd/stepca.container` (rootful)

```
[Unit]
Description=Smallstep Certificate Authority
After=network-online.target

[Container]
PodmanArgs=--memory 50m --cpus 0.25
PidsLimit=100
DropCapability=ALL
NoNewPrivileges=true
AutoUpdate=registry
ContainerName=stepca
Environment=TZ="UTC"
Environment="DOCKER_STEPCA_INIT_NAME=Example CA"
Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.custom.domain,10.89.0.10,localhost,127.0.0.1
Environment=DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin@custom.domain
Environment=DOCKER_STEPCA_INIT_SSH=true
Environment=DOCKER_STEPCA_INIT_ACME=true
Environment=DOCKER_STEPCA_INIT_PASSWORD_FILE=/run/secrets/stepca
HostName=stepca
Image=docker.io/smallstep/step-ca
PublishPort=10.89.0.10:9000:9000/tcp
PublishPort=127.0.0.1:9000:9000/tcp
Secret=source=stepca,type=mount,uid=1000,gid=1000,mode=400
Volume=/path/to/volumes/stepca/config:/home/step:Z
DNS=10.89.0.1
DNSOption=~custom.domain
ReloadSignal=SIGHUP
# Use systemd restart policy
HealthOnFailure=kill
HealthStartPeriod=90s
HealthStartupCmd=sleep 5
HealthCmd=step ca health
HealthInterval=30m
HealthRetries=3
HealthTimeout=20s

[Service]
Restart=always
# Extend Timeout for image pulls
TimeoutStartSec=900

[Install]
WantedBy=default.target
```
47 changes: 47 additions & 0 deletions examples/podman/stepca.run.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
## Example creation of a Podman container & secret

* Using a [cryptographically strong secret from `openssl` with an `8192` character `hex` string](https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html#examples)

see also:

- [Create a "quadlet"](https://github.com/containers/podlet)
- [examples/podman/stepca.container.md](https://github.com/smallstep/certificates/tree/master/examples/podman/stepca.container.md)

```
iface=wt0 # running over Netbird VPN
ctr=stepca
ip=$(ip -f inet addr show $iface | sed -En -e 's/.*inet ([0-9.]+).*/\1/p')
repo=docker.io/smallstep/step-ca
# TPM supported image
# repo=docker.io/smallstep/step-ca:hsm
ca="My CA"
email="admin@custom.domain"
dns="ca.custom.domain,$ip,localhost,127.0.0.1"
volume="${HOME}/volumes/$ctr/config}"

###############
# auto config #
###############

bytes=8192
mkdir -p $volume
openssl rand -hex $bytes | podman secret create --replace $ctr -

podman run -d --replace \
--name $ctr \
--hostname $ctr \
--secret source=$ctr,type=mount,uid=1000,gid=1000,mode=400 \
--env "DOCKER_STEPCA_INIT_NAME=$ca" \
--env "DOCKER_STEPCA_INIT_DNS_NAMES=$dns" \
--env "DOCKER_STEPCA_INIT_PROVISIONER_NAME=$email" \
--env "DOCKER_STEPCA_INIT_SSH=true" \
--env "DOCKER_STEPCA_INIT_ACME=true" \
--env "DOCKER_STEPCA_PASSWORD_FILE=/run/secrets/$ctr" \
--cap-drop ALL \
--restart always \
--label "io.containers.autoupdate=registry" \
-v $volume:/home/step:Z \
$repo
```

* Running the container with `--privileged` should only be needed to [configure a TPM](https://smallstep.com/blog/trusted-platform-modules-tpms/).