All geek questions in one place

What is the best certificate / key management way for Docker containers that need to speak TLS

I am porting my applications to Docker and I am not sure how to handle cert / key management. In one host, I have two Docker containers that need to listen / transmit via TLS to several client machines. Before dockers, I had a single server key and a self-signed certificate, and my clients used a self-signed certificate to communicate with server applications.

But now that they are separated by docker containers, what is the correct methodology? Do I click certs / key on directories in the container? If so, then my docker file will need COPY cert / key, and I don't want the key to be part of the marked image. (Security)

Or am I using VOLUME and holding the / cert switch on the host machine? I tried this, but the root container user was not able to see the private key that was read only by the root user.

What is the really right way to do this? Thanks

+6
source share
2 answers

The time has come, but I figured out how to do it.

At the RUN command line, you can set the host directory as the data volume. This does not work using VOLUME in docker files. You use the -v switch hostdir: datavolume

http://docs.docker.com/userguide/dockervolumes/

I used this to connect the container data volume to the host directory in which the keys and certificates were stored.

thanks

+3
source

I know this is an old question, but I came up with a somewhat similar, but more general approach. My solution is to create a data-only container that mounts certificates and their keys as /etc/ssl/certs/host/ and /etc/ssl/private/host/ . Name it, for example, certificates . In upcoming containers, you can easily use these certificates using --volumes-from certificates .

+3
source

Source: https://habr.com/ru/post/976628/

More articles:


All Articles