I am moving my applications to Docker, and I'm not sure how to handle managing the cert/key. In a single host, I have two Docker containers that must listen/communicate over TLS to a number of client machines. Before docker, I had a single server key and self signed cert, and my clients were using the self signed cert to communicate with the server applications.
But now that they are separated docker containers, what is the right methodology? Do I push the certs/key to directories in the container? If so, then my dockerfile would need to COPY the cert/key, and I don't want the key to be part of the checked in image. (security)
Or, do I use a VOLUME and hold the key/cert on the host machine? I tried that, but the container root user could not see the private key, which was read only fir the host root user.
What is really the right way to do this? Thanks
I know this is an old question but I came up with a somewhat similar but more generic approach. My solution is to create a data-only container which mounts the certificates and their keys as /etc/ssl/certs/host/
and /etc/ssl/private/host/
. Name it for example certificates
. In upcoming containers you can use these certificates easily by using --volumes-from certificates
.
Took me some time, but I figured out how to do it.
One the RUN command line, you can mount a host directory as a data volume. This doesn't work by using the VOLUME in dockerfiles. You use the switch -v hostdir:datavolume
http://docs.docker.com/userguide/dockervolumes/
I used this to connect the containers data volume to the host directory that stored the keys and certs.
Thanks
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With