Reputation: 461
Best practices for certificates in docker
If I have a docker application (J2EE web applications) meeting the following conditions:
- there are multiple containers to be deployed (from the same image) on separate hosts which will then communicate with each other over SSL/TLS - so the containers would need their own SSL certificates, and need to trust the certificates of the other containers
- these containers will additionally make HTTPS calls to other external URLs - so the certificates of these servers also need to be trusted. These external URL are not known at deployment time, so the certificates need to be imported separately
- the application being a J2EE web application uses java keystore and truststore for the certificates
Given this, how should the certificates be made available to the servers?
Upvotes: 5
Views: 8772
Answers (2)
Reputation: 17271
Update: 2018-02
Docker Swarm allows secrets keeping. https://docs.docker.com/engine/swarm/secrets/ This is however not supported in non Swarm deployments. One hacky way to get around this is to deploy to only 1 node as a Swarm.
Previous answer:
Docker doesn't currently have a way to handle secrets (it's on their road map). There's a long running thread over at Docker. It lists many ways that people use to import secrets into containers. https://github.com/docker/docker/issues/13490
Some people use HashiCorp's Vault, others encrypt secrets on the host (env vars) or in a docker volume (that's what my team does). Containers can decrypt them when they are started (ENTRYPOINT/COMMAND). To add secrets at run time, you can create a custom container that does just that (accepts a http request and store it in a truststore). Just a suggestion amongst many that you'll see in the link above.
Upvotes: 4
Reputation: 3547
Application should handle this internally:
If you have a java app running inside a docker container you can use the java keystore (just then add the other containers pem's to the applications keystore in the Dockerfile)
# import my domaincert
COPY homelinux.org.pem /tmp/homelinux.org.pem
RUN /usr/bin/keytool -import -alias homelinux.org -keystore ${JAVA_HOME}/jre/lib/security/cacerts -trustcacerts -file /tmp/homelinux.org.pem -storepass changeit -noprompt
I have ~15 containers on *.homelinux.org via dyndns and a
*.homelinux.org self-signed domain certificate (dnsname=*.homelinux.org) so the containers can use ssl between them fine.
Upvotes: -1
Related Questions
- Docker container SSL certificates
- Adding SSL certificates to Docker linux container
- Docker images and SSL certificates
- Best practice for using certificates (.pem) files in a container
- How to set up SSL in Docker container
- SSL Certificate for Multiple Docker Containers
- What is the best way to manage cert/key for Docker containers that must talk TLS
- Store certificate securely in a web application and docker env
- Using SSL with docker containers
- Is it good practice to have my sites cert.key and cert.pem in a Nginx Docker container?