allow .pki folder to exist and use single script for 0 to hero. (#88)

jbreiding · dnr · web-flow · commit 7cee33cb592c · 2022-04-18T19:43:56.000-07:00
* allow .pki folder to exist and use single script for 0 to hero.

* Update tls/run-tls.sh

Co-authored-by: David Reiss &lt;dnr@dnr.im&gt;

Co-authored-by: David Reiss &lt;dnr@dnr.im&gt;
diff --git a/docker-compose-tls.yml b/docker-compose-tls.yml
@@ -26,6 +26,7 @@ services:
       - 9200
     volumes:
       - temporal_tls_pki:/usr/share/elasticsearch/config/certs
+    restart: on-failure
   postgresql:
     container_name: temporal-postgresql
     command: 
@@ -47,6 +48,7 @@ services:
       - 5432
     volumes:
       - temporal_tls_pki:/pki
+    restart: on-failure
   temporal:
     container_name: temporal
     build:
@@ -78,6 +80,7 @@ services:
       - 7233:7233
     volumes:
       - ./dynamicconfig:/etc/temporal/config/dynamicconfig
+    restart: on-failure
   temporal-admin-tools:
     container_name: temporal-admin-tools
     depends_on:
@@ -106,6 +109,7 @@ services:
       - temporal-network
     ports:
       - 8080:8080
+    restart: on-failure
 networks:
   temporal-network:
     driver: bridge
diff --git a/tls/README.md b/tls/README.md
@@ -1,15 +1,28 @@
 # Temporal with tls enabled dependencies
 
-## Setup
+## Execute
 
 run from a shell
 
-`./tls/make-certs.sh`
+`./tls/run-tls.sh`
 
-## Startup
+## Script source with comments
+```bash
+#!/usr/bin/env bash
+set -xe
 
-run from a shell
+# Build container image for generating cert material
+docker build -t temporal_tls:test -f ${PWD}/tls/Dockerfile.tls .
+mkdir -p .pki
+
+# Run container to name volume and copy out CA certificate
+docker run --rm -v temporal_tls_pki:/pki -v ${PWD}/.pki:/pki-out temporal_tls:test
+
+# Build extra layers which copy in CA certificate to local trust store
+# Allows for not having to disable host verification on TLS connections
+COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml build --no-cache
 
-`COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml build --no-cache`
+# Run example docker-compose environment with elasticsearch and postgresql protected with TLS
+COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml up
 
-`COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml up`
+```
diff --git a/tls/make-certs.sh b/tls/make-certs.sh
diff --git a/tls/run-tls.sh b/tls/run-tls.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -xe
+
+# Build container image for generating cert material
+docker build -t temporal_tls:test -f ${PWD}/tls/Dockerfile.tls .
+mkdir -p .pki
+
+# Run container to name volume and copy out CA certificate
+docker run --rm -v temporal_tls_pki:/pki -v ${PWD}/.pki:/pki-out temporal_tls:test
+
+# Build extra layers which copy in CA certificate to local trust store
+# Allows for not having to disable host verification on TLS connections
+COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml build --no-cache
+
+# Run example docker-compose environment with elasticsearch and postgresql protected with TLS
+COMPOSE_PROJECT_NAME=tls_test docker-compose -f docker-compose-tls.yml up
