Improve security and reliability of traefik-certdumper #54
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#54
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves.
The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format.
It seems like the existing forest of
certdumper
images all have wrinkles: for Mailu, I ended up adding a gnarly customentrypoint
to override behaviour, plus a separate post-run script in the Mailu recipe.As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a)
certdumper
dumps all certs on the swarm by default and b) it fails open -- I noticed thecertdumper
inworkadventure
is giving theworkadventure-front
container access to all certs 🙈Improvements welcome!
Another approach, unsure if "better":
4ae3b7ef2d/compose.yml (L89-L98)