Merge pull request #825 from strukturag/additional-ca-certificates

docker: Support adding CA certificates to system trust store.

docker/README.md

@@ -68,6 +68,7 @@ The running container can be configured through different environment variables:
 - `GRPC_ETCD`: Set to `1` if etcd should be used to configure GRPC peers.
 - `GRPC_TARGET_PREFIX`: Key prefix of GRPC target entries.
 - `SKIP_VERIFY`: Set to `true` to skip certificate validation of backends and proxy servers. This should only be enabled during development, e.g. to work with self-signed certificates.
+- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.
 
 Example with two backends:
 
@@ -120,6 +121,7 @@ The running container can be configured through different environment variables:
 - `TOKEN_KEY_FORMAT`: Format of key name to retrieve the public key from, "%s" will be replaced with the token id.
 - `TOKENS`: Space-separated list of token ids.
 - `TOKEN_<ID>_KEY`: Filename of public key for token `ID` (where `ID` is the uppercase token id).
+- `CA_CERTIFICATES_FOLDER`: Folder containing certificates that should be added to the system wide CA trust store during startup. Mount a folder from the host as volume in the container and specify the volume.
 
 Example with two tokens:
 

docker/proxy/Dockerfile

@@ -13,17 +13,14 @@ FROM alpine:3
 
 ENV CONFIG=/config/proxy.conf
 RUN adduser -D spreedbackend && \
-    apk add --no-cache bash tzdata ca-certificates
+    apk add --no-cache bash tzdata ca-certificates su-exec
 
 COPY --from=builder /workdir/bin/proxy /usr/bin/nextcloud-spreed-signaling-proxy
 COPY ./proxy.conf.in /config/proxy.conf.in
 COPY ./docker/proxy/entrypoint.sh /
 COPY ./docker/proxy/stop.sh /
 COPY ./docker/proxy/wait.sh /
-RUN chown spreedbackend /config
 RUN /usr/bin/nextcloud-spreed-signaling-proxy -version
 
-USER spreedbackend
-
 STOPSIGNAL SIGUSR1
 ENTRYPOINT [ "/entrypoint.sh" ]

docker/proxy/entrypoint.sh

@@ -131,5 +131,11 @@ if [ ! -f "$CONFIG" ]; then
   fi
 fi
 
+if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
+  echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
+  cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
+  update-ca-certificates
+fi
+
 echo "Starting signaling proxy with $CONFIG ..."
-exec /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"
+exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling-proxy -config "$CONFIG"

docker/server/Dockerfile

@@ -13,17 +13,14 @@ FROM alpine:3
 
 ENV CONFIG=/config/server.conf
 RUN adduser -D spreedbackend && \
-    apk add --no-cache bash tzdata ca-certificates
+    apk add --no-cache bash tzdata ca-certificates su-exec
 
 COPY --from=builder /workdir/bin/signaling /usr/bin/nextcloud-spreed-signaling
 COPY ./server.conf.in /config/server.conf.in
 COPY ./docker/server/entrypoint.sh /
 COPY ./docker/server/stop.sh /
 COPY ./docker/server/wait.sh /
-RUN chown spreedbackend /config
 RUN /usr/bin/nextcloud-spreed-signaling -version
 
-USER spreedbackend
-
 STOPSIGNAL SIGUSR1
 ENTRYPOINT [ "/entrypoint.sh" ]

docker/server/entrypoint.sh

@@ -269,5 +269,11 @@ if [ ! -f "$CONFIG" ]; then
   fi
 fi
 
+if [ -n "$CA_CERTIFICATES_FOLDER" ]; then
+  echo "Adding files from $CA_CERTIFICATES_FOLDER to the CA store ..."
+  cp "$CA_CERTIFICATES_FOLDER"/* /usr/local/share/ca-certificates/
+  update-ca-certificates
+fi
+
 echo "Starting signaling server with $CONFIG ..."
-exec /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"
+exec su-exec spreedbackend /usr/bin/nextcloud-spreed-signaling -config "$CONFIG"