Getting applications to work with CA bundles / onprem / self hosted with dockers
Notes to my future self
Get a bundle of the CA + if applicable the sub CA and append them
Throw them into a docker secret mount them as a secret, under your service mount them
secrets:
- CA_BUNDLE
- source: CA_BUNDLE
target: "/usr/local/share/ca-certificates/custom/CA_BUNDLE.crt"
- source: CA_BUNDLE
target: "/etc/ssl/certs/CA_BUNDLE.pem"
Add them below the services too!
secrets:
CA_BUNDLE:
external: true
Also depending on the app, which in my case is mostly node, mount the CA bundle in the env variable too!
environment:
NODE_EXTRA_CA_CERTS: "/run/secrets/CA_BUNDLE"
Create a docker secret
docker secret create CA_BUNDLE - <<'EOF' -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- EOF
Full example
services:
demo:
image: alpine
environment:
NODE_EXTRA_CA_CERTS: "/run/secrets/CA_BUNDLE"
secrets:
- CA_BUNDLE
- source: CA_BUNDLE
target: /usr/local/share/ca-certificates/custom/CA_BUNDLE.crt
- source: CA_BUNDLE
target: /etc/ssl/certs/CA_BUNDLE.pem
secrets:
CA_BUNDLE:
file: ./CA_BUNDLE.crt
