Closed aellwein closed 1 year ago
Thanks for reporting this!
That's definitely a use case the default Dockerfile should support, so it's a bug.
There's already a bit of logic for this above, based on the $AUTO_CERTS
variable. Maybe we should only do setfacl
if we've done certbot renew
.
The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?
What do you think?
The other concern I have are permissions for your externally-provided certificates, but I think at that point since they're external you can probably manage that without needing to adjust the Dockerfile?
What do you think?
Sounds good to me. I can adjust file mode of the files mounted to the pod. The only thing i probably need to take care of is an unattended restart of chasquid upon certificate renewal. I think i can manage this by means of writing a small k8s operator which needs to watch on certificate resources. I already did something like this in my cert-backup-operator, should be no big deal here.
Great! I've submitted 567ad3512201958880bbe505ec23bce1f785d39d to next
moving the setfacl inside the conditional that renews the certificate.
Docker images are automatically built by the CI pipeline and uploaded to the gitlab registry and dockerhub, so you should be able to give them a try by using the next
image tag.
Please let me know how it goes! Thank you!
The fix was included in chasquid 1.10 (2022-09-02).
I want to use chasquid in my cloud environment (k8s) and had a look at the bundled Dockerfile, however, there is an issue: in entrypoint.sh there is an assumption, that certificates are located inside the Docker container, or created on its filesystem.
However, it's not applicable in my use case: i want the certificates to be managed/renewed by cert-manager and i want just mount them into chasquid's container, but in this case the
setfacl
logic is not working.@albertito Can you suggest here something? Should i use my own version of Dockerfile / entrypoint.sh?