Internal directory structure changed to have a better separation of i…

…nput/output volumes e.g. for usage in k8s.

Dockerfile

@@ -7,11 +7,13 @@ RUN apk update \
   && apk add --update bash openjdk11-jre-headless~11.0 openssl3 py3-jinja2 py3-yaml\
   && rm -rf /var/cache/apk/*
 
-RUN mkdir -p /opt/certs
+RUN mkdir -p /opt/scripts
 
-ADD *.sh /opt/certs/
-ADD create_configs.py /opt/certs/
-ADD cert.template /opt/certs/
-WORKDIR /opt/certs
+COPY *.sh /opt/scripts
+COPY create_configs.py /opt/scripts
+COPY cert.template /opt/scripts
 
-CMD ["/opt/certs/run.sh"]
+WORKDIR /opt/scripts
+ENV CERTDIR=/mnt/certs
+
+CMD ["/opt/scripts/run.sh"]

README.md

@@ -83,11 +83,11 @@ Description of the fields:
 | CN_as_SAN | Add CN as SAN in addition (required by many clients/browsers) - true/false (default: true) |
 
 * Pull the docker image (from docker hub) or build locally with `./build_docker_image.sh`
-* Run the docker image - you need to mount the `hosts.txt` to `/opt/certs/hosts.txt` and a destination directory where the configs and certificates will be placed to `/opt/certs/current` - e.g.:
+* Run the docker image - you need to mount the `hosts.txt` to `/mnt/config/hosts.txt` and a destination directory where the configs and certificates will be placed to `/mnt/certs` - e.g.:
 ```bash
 docker run --rm \
--v $(pwd)/hosts.txt:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
+-v $(pwd)/hosts.txt:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
 schmitzi/openssl-alpine-j11:1.0.0
 ```
 * The following optional parameters can be provided as environment variables using `-e`:

build_docker_image.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-docker build ./scripts -t schmitzi/openssl-alpine-j11:1.2.0 -f Dockerfile
+docker build ./scripts -t schmitzi/openssl-alpine-j11:1.3.0 -f Dockerfile

examples/confluent-platform/run_cp.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/csr-test/run_test_yaml.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PREPARE_CSR_ONLY=yes \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/encrypted-ca-key/run_test.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e CA_KEYPASSWD=xyz123 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/test/run_test_json.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.json:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.json:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

examples/test/run_test_yaml.sh

@@ -2,6 +2,6 @@
 
 docker run --rm \
 -e PASSWD=changeIt -e DAYS=389 -e DAYS_CA=3650 \
--v $(pwd)/hosts.yml:/opt/certs/hosts.txt \
--v $(pwd)/certs:/opt/certs/current \
-schmitzi/openssl-alpine-j11:1.2.0
+-v $(pwd)/hosts.yml:/mnt/config/hosts.txt \
+-v $(pwd)/certs:/mnt/certs \
+schmitzi/openssl-alpine-j11:1.3.0

scripts/check_ca.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Check if the provided CA Key is "encrypted" - using the first line of the ca-root.key file
-first_line=$(head -n 1 /opt/certs/current/ca-root.key)
+first_line=$(head -n 1 /mnt/certs/ca-root.key)
 
 # Check if the first line contains "ENCRYPTED"
 if [[ "$first_line" == *"ENCRYPTED"* ]]; then
@@ -12,14 +12,14 @@ if [[ "$first_line" == *"ENCRYPTED"* ]]; then
 fi
 
 # Capture the modulus of the public certificate
-public_modulus=$(openssl x509 -modulus -noout -in /opt/certs/current/ca-root.crt 2>/dev/null | openssl md5)
+public_modulus=$(openssl x509 -modulus -noout -in /mnt/certs/ca-root.crt 2>/dev/null | openssl md5)
 
 if [[ -z "$CA_KEYPASSWD" ]]; then
     # Capture the modulus of the private key
-    private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key 2>/dev/null | openssl md5)
+    private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key 2>/dev/null | openssl md5)
 else
     # Capture the modulus of the private key (with password)
-    private_modulus=$(openssl rsa -modulus -noout -in /opt/certs/current/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5)
+    private_modulus=$(openssl rsa -modulus -noout -in /mnt/certs/ca-root.key -passin pass:$CA_KEYPASSWD 2>/dev/null | openssl md5)
 fi
 
 # Compare the two modulis
@@ -28,4 +28,4 @@ if [ "$public_modulus" != "$private_modulus" ]; then
     exit 1
 fi
 
-cat current/ca-root.crt > current/ca-root.pem
+cat /mnt/certs/ca-root.crt > /mnt/certs/ca-root.pem

scripts/create_configs.py

@@ -3,7 +3,7 @@
 import yaml
 
 # Read hosts input and extract global settings
-with open('./hosts.txt') as input_file:
+with open('/mnt/config/hosts.txt') as input_file:
     hosts = yaml.load(input_file, Loader=yaml.FullLoader)
 globals = hosts['global'] if 'global' in hosts else {}
 
@@ -18,5 +18,5 @@
 
     output_filename = host['fileName']+'.cnf' if 'fileName' in host else host['CN']+'.cnf'
 
-    with open('./current/'+output_filename, "w") as out_file:
+    with open('/mnt/certs/'+output_filename, "w") as out_file:
         out_file.write(outputCertConfig)

scripts/gen_ca.sh

@@ -4,14 +4,14 @@
 
 if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
     # Generate Root CA certificates and concatenate to PEM
-    openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout current/ca-root.key -out current/ca-root.crt -config current/ca-root.cnf
-    cat current/ca-root.crt current/ca-root.key > current/ca-root.pem
+    openssl req -new -nodes -x509 -days ${DAYS_CA} -newkey rsa:2048 -keyout /mnt/certs/ca-root.key -out /mnt/certs/ca-root.crt -config /mnt/certs/ca-root.cnf
+    cat /mnt/certs/ca-root.crt /mnt/certs/ca-root.key > /mnt/certs/ca-root.pem
 
     # show certificate
     echo
     echo "############################"
     echo "Created CA:"
-    openssl x509 -in current/ca-root.crt -text
+    openssl x509 -in /mnt/certs/ca-root.crt -text
 else
     echo "Skipping CA generation as it is not required for CSR creation..."
 fi

scripts/gen_new_certs.sh

@@ -1,6 +1,5 @@
 #!/usr/bin/env bash
 
-CERTDIR="current"
 ROOTCA="ca-root"
 
 [[ -z "${DAYS}" ]] && echo "No validity for certs (DAYS) provided - using default 389" && DAYS="389"
@@ -48,7 +47,7 @@ done
 if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
   echo "Creating truststore..."
   # Create truststore
-  keytool -keystore current/truststore.jks -alias CARoot \
-  -import -file current/ca-root.crt \
+  keytool -keystore /mnt/certs/truststore.jks -alias CARoot \
+  -import -file /mnt/certs/ca-root.crt \
   -storepass ${PASSWD} -noprompt -storetype PKCS12
 fi

scripts/run.sh

@@ -1,19 +1,19 @@
 #!/usr/bin/env bash
 
 echo "Checking for mandatory input files..."
-if [ ! -e /opt/certs/hosts.txt ] ; then 
-    echo "Mandatory file /opt/certs/hosts.txt is missing!"
+if [ ! -e /mnt/config/hosts.txt ] ; then 
+    echo "Mandatory file /mnt/config/hosts.txt is missing!"
     exit 1
 fi
 
 echo "Creating certificate configurations from template..."
 ./create_configs.py
 
 if [[ "$PREPARE_CSR_ONLY" != "yes" ]]; then
-    if [ -e /opt/certs/current/ca-root.crt ] && [ -e /opt/certs/current/ca-root.key ]; then
+    if [ -e /mnt/certs/ca-root.crt ] && [ -e /mnt/certs/ca-root.key ]; then
         echo "Re-using CA that was provided !"
         ./check_ca.sh
-    elif [ -e /opt/certs/current/ca-root.crt ] || [ -e /opt/certs/current/ca-root.key ]; then
+    elif [ -e /mnt/certs/ca-root.crt ] || [ -e /mnt/certs/ca-root.key ]; then
         echo "ERROR: Missing CA Cert or Key file. Please provide both or none."
         exit 1
     else