Internal directory structure changed to have a better separation of input/output volumes e.g. for usage in k8s.

Author: roman

Dockerfile

@@ -7,11 +7,13 @@ RUN apk update \
   && apk add --update bash openjdk11-jre-headless~11.0 openssl3 py3-jinja2 py3-yaml\
   && rm -rf /var/cache/apk/*
 
-RUN mkdir -p /opt/certs
+RUN mkdir -p /opt/scripts
 
-ADD *.sh /opt/certs/
-ADD create_configs.py /opt/certs/
-ADD cert.template /opt/certs/
-WORKDIR /opt/certs
+COPY *.sh /opt/scripts
+COPY create_configs.py /opt/scripts
+COPY cert.template /opt/scripts
 
-CMD ["/opt/certs/run.sh"]
+WORKDIR /opt/scripts
+ENV CERTDIR=/mnt/certs
+
+CMD ["/opt/scripts/run.sh"]

README.md

@@ -83,11 +83,11 @@ Description of the fields:
 | CN_as_SAN | Add CN as SAN in addition (required by many clients/browsers) - true/false (default: true) |
 
 * Pull the docker image (from docker hub) or build locally with `./build_docker_image.sh`
-* Run the docker image - you need to mount the `hosts.txt` to `/opt/certs/hosts.txt` and a destination directory where the configs and certificates will be placed to `/opt/certs/current` - e.g.:
+* Run the docker image - you need to mount the `hosts.txt` to `/mnt/config/hosts.txt` and a destination directory where the configs and certificates will be placed to `/mnt/certs` - e.g.:
 ```bash
 docker run --rm \
--v $(pwd)/hosts.txt:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
+-v $(pwd)/hosts.txt:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
 schmitzi/openssl-alpine-j11:1.0.0
 ```
 * The following optional parameters can be provided as environment variables using `-e`:

build_docker_image.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-docker build ./scripts -t schmitzi/openssl-alpine-j11:1.2.0 -f Dockerfile
+docker build ./scripts -t schmitzi/openssl-alpine-j11:1.3.0 -f Dockerfile

examples/confluent-platform/run_cp.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/csr-test/run_test_yaml.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PREPARE_CSR_ONLY=yes \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/encrypted-ca-key/run_test.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e CA_KEYPASSWD=xyz123 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/test/run_test_json.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.json:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.json:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/test/run_test_yaml.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

scripts/check_ca.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Check if the provided CA Key is "encrypted" - using the first line of the ca-root.key file
-first_line=$(head -n 1 /opt/certs/current/ca-root.key)
+first_line=$(head -n 1 /mnt/certs/ca-root.key)
 
 # Check if the first line contains "ENCRYPTED"
 if [[ "$first_line" == *"ENCRYPTED"* ]]; then
@@ -12,14 +12,14 @@ if [[ "$first_line" == *"ENCRYPTED"* ]]; then
 fi
 
 # Capture the modulus of the public certificate
-public_modulus=$(openssl x509 -modulus -noout -in /opt/certs/current/ca-root.crt 2>/dev/null | openssl md5)
+public_modulus=$(openssl x509 -modulus -noout -in /mnt/certs/ca-root.crt 2>/dev/null | openssl md5)
 
 if [[ -z "$CA_KEYPASSWD" ]]; then
     # Capture the modulus of the private key
-    private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key 2>/dev/null | openssl md5)
+    private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key 2>/dev/null | openssl md5)
 else
     # Capture the modulus of the private key (with password)
-    private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5)
+    private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5)
 fi
 
 # Compare the two modulis
@@ -28,4 +28,4 @@ if [ "$public_modulus" != "$private_modulus" ]; then
     exit 1
 fi
 
-cat current/ca-root.crt > current/ca-root.pem
+cat /mnt/certs/ca-root.crt > /mnt/certs/ca-root.pem

scripts/create_configs.py

@@ -3,7 +3,7 @@
 import yaml
 
 # Read hosts input and extract global settings
-with open('./hosts.txt') as input_file:
+with open('/mnt/config/hosts.txt') as input_file:
     hosts = yaml.load(input_file, Loader=yaml.FullLoader)
 globals = hosts['global'] if 'global' in hosts else {}
 
@@ -18,5 +18,5 @@
 
     output_filename = host['fileName']+'.cnf' if 'fileName' in host else host['CN']+'.cnf'
 
-    with open('./current/'+output_filename, "w") as out_file:
+    with open('/mnt/certs/'+output_filename, "w") as out_file:
         out_file.write(outputCertConfig)