This website, like most of the services I host in my homelab runs in a Docker container which is hosted in a small Kubernetes cluster. I’ll go into more detail about the Kubernetes cluster in a later post. In this post I want to demonstrate a very simple container I have created which bundles the root certificates distributed with most operating systems, making them available to the application running within.
Imagine an application which interacts with an external resources over TLS, perhaps a website which stores input from users into a Google Sheets document. The Google API performs HTTP requests over TLS whenever we read from or write to the spreadsheet.
In order to trust that our application is connecting to the authentic Google API, web browsers and our application, use a pre-shared certificate which validates the certificate presented when the remote server is contacted. If the certificates “match”, then the site being contacted is legitimate.
These certificates are usually distributed with the operating system. On a Linux
computer they are often found in
/etc/ssl/certs. But what about if the
application is running in a
FROM SCRATCH Docker container?
A Potential Solution
Our application contacts the Google API and requires a root certificate as previously discussed. To satisfy this requirement, we could launch our container with a volume mount to insert the certificates from the host:
docker run -v /etc/ssl/certs:/etc/ssl/certs my-application
With this command we take the contents of
/etc/ssl/certs on the host and mount
them in the same location in our running container. This works great, assuming
we know that the certificates will always be in this location on the host. But
what if we want to run our application on another host, such as a node in
a Kubernetes cluster?
I have created a tiny Docker image which contains the root certificates necessary for your application. To use it, build the root-certs container and tag it:
wget https://gitlab.grosinger.net/tgrosinger/root-certs/repository/master/archive.tar tar -x archive.tar cd <resulting directory> docker build -t root-certs .
Now, you can base any containers which need the root certificates on this one. For example, your Dockerfile might look like this:
FROM root-certs ADD my-application ENTRYPOINT [ "/my-application" ]
This may end up slightly more complicated in the short-run, but if you have multiple containers which all have this requirement, it is very nice to have one common base that satisfies this requirement for all of the applications.