Improve security and reliability of traefik-certdumper #54
Labels
No Label
automation
bug
community organising
democracy
design
documentation
duplicate
enhancement
finance
funding
help wanted
invalid
publishing
question
security
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#54
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves.
The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format.
It seems like the existing forest of
certdumper
images all have wrinkles: for Mailu, I ended up adding a gnarly customentrypoint
to override behaviour, plus a separate post-run script in the Mailu recipe.As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a)
certdumper
dumps all certs on the swarm by default and b) it fails open -- I noticed thecertdumper
inworkadventure
is giving theworkadventure-front
container access to all certs 🙈Improvements welcome!