Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practices for certificates in docker

Tags:

docker

ssl

If I have a docker application (J2EE web applications) meeting the following conditions:

  • there are multiple containers to be deployed (from the same image) on separate hosts which will then communicate with each other over SSL/TLS - so the containers would need their own SSL certificates, and need to trust the certificates of the other containers
  • these containers will additionally make HTTPS calls to other external URLs - so the certificates of these servers also need to be trusted. These external URL are not known at deployment time, so the certificates need to be imported separately
  • the application being a J2EE web application uses java keystore and truststore for the certificates

Given this, how should the certificates be made available to the servers?

like image 807
BX21 Avatar asked Oct 19 '22 03:10

BX21


1 Answers

Update: 2018-02

Docker Swarm allows secrets keeping. https://docs.docker.com/engine/swarm/secrets/ This is however not supported in non Swarm deployments. One hacky way to get around this is to deploy to only 1 node as a Swarm.

Previous answer:

Docker doesn't currently have a way to handle secrets (it's on their road map). There's a long running thread over at Docker. It lists many ways that people use to import secrets into containers. https://github.com/docker/docker/issues/13490

Some people use HashiCorp's Vault, others encrypt secrets on the host (env vars) or in a docker volume (that's what my team does). Containers can decrypt them when they are started (ENTRYPOINT/COMMAND). To add secrets at run time, you can create a custom container that does just that (accepts a http request and store it in a truststore). Just a suggestion amongst many that you'll see in the link above.

like image 97
Bernard Avatar answered Nov 15 '22 06:11

Bernard