coop-cloud/organising
coop-cloud
/
organising
Archived
4
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Activity

Improve security and reliability of traefik-certdumper #54

New Issue
Open
opened 2021-03-25 09:46:21 +00:00 by 3wordchant · 0 comments
3wordchant commented 2021-03-25 09:46:21 +00:00
Owner
Copy Link

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves.

The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format.

It seems like the existing forest of certdumper images all have wrinkles: for Mailu, I ended up adding a gnarly custom entrypoint to override behaviour, plus a separate post-run script in the Mailu recipe.

As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) certdumper dumps all certs on the swarm by default and b) it fails open -- I noticed the certdumper in workadventure is giving the workadventure-front container access to all certs 🙈

Improvements welcome!

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves. The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format. It seems like the existing forest of `certdumper` images all have wrinkles: for Mailu, I ended up adding [a gnarly custom `entrypoint` to override behaviour](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/compose.yml#L155-L176), plus [a separate post-run script in the Mailu recipe](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/certdumper_post.sh). As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) `certdumper` dumps _all_ certs on the swarm by default and b) it fails open -- I noticed the `certdumper` in `workadventure` is giving the `workadventure-front` container access to _all_ certs 🙈 Improvements welcome!
3wordchant added the
bug
enhancement
help wanted
 labels 2021-03-25 09:46:21 +00:00
decentral1se added this to the (deleted) project 2021-04-30 07:32:25 +00:00
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels   
automation

Getting the robots into the mix

  
bug

Something is not working

  
community organising

Opening this thing up

  
democracy

Democratic decision making

  
design

Design thinking required

  
documentation

WTFM

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
finance

Money things

  
funding

Anything related to grant funding

  
help wanted

Need some help

  
invalid

Something is wrong

  
publishing

Making this project public

  
question

More information is needed

  
security

Securing our shit

  
wontfix

This won't be fixed

No Label
automation
bug
community organising
democracy
design
documentation
duplicate
enhancement
finance
funding
help wanted
invalid
publishing
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/organising#54
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?