Merge pull request #14 from benkorichard/cert_expiry

kekru · web-flow · commit a18ecb560662 · 2020-10-10T22:28:46.000+02:00
Configure certificates expiration date with a new environment variable.
diff --git a/README.md b/README.md
@@ -43,8 +43,6 @@ Your Docker Remote API is available on port 2376 via https. The client needs to
 The docker-remote-api image can generate CA, certificates and keys for you automatically.
 Create a docker-compose.yml file, specifying a password and the hostname, on which the remote api will be accessible later on. The hostname will be written to the server's certificate.
 
-Optionally, the cert password can be provided as a docker secret. In this case use the `CERTS_PASSWORD_FILE` variable with the absolute path of secret file: `CERTS_PASSWORD_FILE=/run/secrets/<secret_name>`. If both `CREATE_CERTS_WITH_PW` and `CERTS_PASSWORD_FILE` are provided, `CERTS_PASSWORD_FILE` takes precedence.
-
 ```yml
 version: "3.4"
 services:
@@ -64,6 +62,22 @@ Now run the container with `docker-compose up -d` or `docker stack deploy --comp
 Certificates will be created in `<local cert dir>`.
 You will find the client-certs in `<local cert dir>/client/`. The files are `ca.pem`, `cert.pem` and `key.pem`.
 
+## Environment variables
+
+#### `CREATE_CERTS_WITH_PW`
+Passphrase to encrypt the certificate.
+
+#### `CERTS_PASSWORD_FILE`
+Certificate passphrase will be read from this docker secret. Absolute path of the secret file has to be provided i.e. `CERTS_PASSWORD_FILE=/run/secrets/<secret_name>`.
+
+If both passphrase and secret file are set, the secret file takes precedence.
+
+#### `CERT_EXPIRATION`
+Certificate expiration in days. If not set, the default value 365 is applied.
+
+#### `CERT_HOSTNAME`
+Domain name of the docker server.
+
 ## Setup client
 
 See [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for instructions how to setup a client to communicate with the remote api.
diff --git a/resources/entrypoint.sh b/resources/entrypoint.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+CERT_EXPIRATION_DAYS=${CERT_EXPIRATION:-365}
+
 if [ -n "$CERTS_PASSWORD_FILE" ]; then
   echo "Using cert password from $CERTS_PASSWORD_FILE"
   CREATE_CERTS_WITH_PW="$(cat $CERTS_PASSWORD_FILE)"
@@ -11,9 +13,9 @@ if [ -n $CREATE_CERTS_WITH_PW ]; then
     echo "Create CA cert"
     /script/create-certs.sh -m ca -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 900
     echo "Create server cert"
-    /script/create-certs.sh -m server -h $CERT_HOSTNAME -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 365
+    /script/create-certs.sh -m server -h $CERT_HOSTNAME -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e $CERT_EXPIRATION_DAYS
     echo "Create client cert"
-    /script/create-certs.sh -m client -h testClient -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 365
+    /script/create-certs.sh -m client -h testClient -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e $CERT_EXPIRATION_DAYS
 
     mkdir $CERTS_DIR/client
     mv $CERTS_DIR/ca.pem $CERTS_DIR/ca-cert.pem
