Merge pull request #2 from CiscoCloud/feature/ssl-verify

Feature/ssl verify
CiscoCloud · May 5, 2015 · 872c512 · 872c512
2 parents f4d4947 + 0a8fde9
commit 872c512
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ MAINTAINER Steven Borrelli <[email protected]>
 
 ENV CONSUL_TEMPLATE_VERSION=0.8.0
 
-RUN apk-install bash nginx
+RUN apk-install bash nginx ca-certificates
 
 ADD https://github.com/hashicorp/consul-template/releases/download/v${CONSUL_TEMPLATE_VERSION}/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz /
 

diff --git a/README.md b/README.md
@@ -17,3 +17,10 @@ docker run -v /my/ssl/loc:/etc/nginx/ssl ...
 docker run -v /my/ssl/loc:/etc/nginx/ssl -d --net=host  -e CONSUL_CONNECT=localhost:8500 --name nginx-proxy nginx
 
 ```
+
+## SSL
+
+If you have an SSL root certificate that you need to trust to connect to Consul,
+mount a volume containing the PEM at `/usr/local/share/ca-certificates`
+(preferable read-only). The container will pick up the certificates and enable
+the relevant Consul flags at runtime.
diff --git a/launch.sh b/launch.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -e 
+set -e
 #set the DEBUG env variable to turn on debugging
 [[ -n "$DEBUG" ]] && set -x
 
@@ -15,6 +15,17 @@ CONSUL_MINWAIT=${CONSUL_MINWAIT:-2s}
 CONSUL_MAXWAIT=${CONSUL_MAXWAIT:-10s}
 CONSUL_LOGLEVEL=${CONSUL_LOGLEVEL:-debug}
 
+# set up SSL
+if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
+  CONSUL_SSL="-ssl"
+  # normally we'd use update-ca-certificates, but something about running it in
+  # Alpine is off, and the certs don't get added. Fortunately, we only need to
+  # add ca-certificates to the global store and it's all plain text.
+  cat /usr/local/share/ca-certificates/* >> /etc/ssl/certs/ca-certificates.crt
+else
+  CONSUL_SSL=""
+fi
+
 function usage {
 cat <<USAGE
   launch.sh             Start a consul-backed nginx instance
@@ -32,7 +43,7 @@ Nginx vars:
                         (default not set)
 
 Consul-template variables:
-  CONSUL_TEMPLATE       Location of consul-template bin 
+  CONSUL_TEMPLATE       Location of consul-template bin
                         (default /usr/local/bin/consul-template)
 
 
@@ -57,14 +68,14 @@ function launch_consul_template {
                        -wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
                        -config /consul-template/consul.cfg \
                        -template /consul-template/nginx.tmpl:/etc/nginx/nginx.conf \
-                       -consul ${CONSUL_CONNECT} ${nginx_auth} -once ${vars}
+                       -consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} -once ${vars}
     /nginx-run.sh
   else
     echo "Starting consul template..."
     exec ${CONSUL_TEMPLATE} -log-level ${CONSUL_LOGLEVEL} \
                        -wait ${CONSUL_MINWAIT}:${CONSUL_MAXWAIT} \
                        -config /consul-template/consul.cfg \
-                       -consul ${CONSUL_CONNECT} ${nginx_auth} ${vars} 
+                       -consul ${CONSUL_CONNECT} ${CONSUL_SSL} ${nginx_auth} ${vars}
   fi
 }