Skip to content

Commit

Permalink
Merge branch 'ssl-puma' of github.com:suprjinx/astral into ssl-puma
Browse files Browse the repository at this point in the history
  • Loading branch information
suprjinx committed Oct 22, 2024
2 parents 08fa788 + ae10703 commit c42b705
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 14 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ USER rails:rails
# Start the server by default, this can be overwritten at runtime
EXPOSE 3000
# Start the server
CMD ["bin/rails", "server", "-b", "0.0.0.0"]
CMD ["bin/http.sh"]
30 changes: 24 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,18 +72,36 @@ file. Per-environment settings in the config file(development, test,
production) will override the shared values for that type.

## mTLS connections
Astral can connect to Vault with mTLS. Just
set the following values in `config/astral.yml`:
Astral can be run as an SSL service and can communicate with Vault via SSL.
Just set the following values in `config/astral.yml` (or environment) to
encrypt Astral-to-Vault :
```
vault_ssl_cert:
vault_ssl_client_cert:
vault_ssl_client_key:
```
A self-signed server cert for Vault can be generated with the following
command:

To use Vault SSL in the devcontainer, edit
`.devcontainer/docker-compose.yml` so that the `app` service has
`VAULT_ADDRESS` of `https://vault:8443`. Client certs can also be
configured -- in which case Vault needs to be configured to verify with
a CA cert.

A self-signed server cert for Vault and Astral can be generated with the following
command, and initial placeholder certs are already provided.
```
rake configure:ssl
```

To use SSL in the devcontainer, edit `.devcontainer/docker-compose.yml` so
that the `app` service has `VAULT_ADDRESS` of `https://vault:8443`.
Astral SSL

To use SSL in production, provide the necessary environment (SSL_CERT, SSL_KEY) to
the container environment, and use the `bin/ssl.sh` startup command. Eg:
```
docker run -p 3000:3000 \
-e SSL_CERT=/certs/cert.pem \
-e SSL_KEY=/certs/key.key \
-v certs:/certs:cached \
astral:latest bin/ssl.sh
```

2 changes: 2 additions & 0 deletions bin/http.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#! /bin/sh
bin/rails s -b 0.0.0.0
5 changes: 5 additions & 0 deletions bin/ssl.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#! /bin/sh
SSL_CERT="${SSL_CERT:-cert/astral.pem}"
SSL_KEY="${SSL_KEY:-cert/astral.key}"

bin/rails s -b "ssl://0.0.0.0:3000?key=${SSL_KEY}&cert=${SSL_CERT}"
28 changes: 21 additions & 7 deletions lib/tasks/configure.rake
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,30 @@ require "rake"

# Rake tasks for making a vault cert
namespace :configure do
desc "Make Vault and Astral certs"
task ssl: [ :vault_ssl, :astral_ssl ]

desc "Make the server cert for vault"
task :ssl do
task :vault_ssl do
keygen("vault")
end

desc "Make the server cert for astral"
task :astral_ssl do
keygen("astral")
end

private

def keygen(name)
%x(
openssl req -new -newkey rsa:4096 -nodes \
-keyout cert/vault.key -out cert/vault.csr \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=vault"
openssl x509 -req -days 365 -in cert/vault.csr \
-signkey cert/vault.key \
-out cert/vault.pem
-keyout cert/#{name}.key -out cert/#{name}.csr \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{name}"
openssl x509 -req -days 365 -in cert/#{name}.csr \
-signkey cert/#{name}.key \
-out cert/#{name}.pem
)
puts "SSL key for vault created"
puts "SSL key for #{name} created"
end
end

0 comments on commit c42b705

Please sign in to comment.