appleboy / gorush

A push notification server written in Go (Golang).
MIT License
8.09k stars 846 forks source link

Support upload ios certificate file. #102

Open appleboy opened 8 years ago

johnjjung commented 6 years ago

Agreed! in k8s deployments if we can use secrets instead of config maps so that you can load a base64 image of the APN key files, I think would be much better. Otherwise you have to build the docker image with the key file inside and push that to the repo which is terrible practice.

Other way would be to have a deployment script when after the docker file loads to pull it securely from a remote location. Maybe we can do this in the Dockerfile itself where if an ENV is set, then automatically echo $CERTFILE > 'cert.p12' then in k8s secrets you just set it as an SECRET ENV.

appleboy commented 6 years ago

@johnjjung Good catch. something like Use-Case: Pod with ssh keys or Using Secrets as Environment Variables. Right?

johnjjung commented 6 years ago

Thanks! You've got an awesome repo here! @appleboy

Yes, I think there's a very simple way of doing this without you having to modify anything.

I'm just overriding it with a custom command either in docker-compose or kubernetes file to execute a custom deploy.sh script. Add CMD deploy.sh and in your deploy.sh

Basically turn your key files or sensitive credentials into base64 ENV's. In your deploy.sh just do something like:

# this will create your keyfile dynamically from a kubernetes secret or ENV
if [ ! -z "$KEYFILE" ]; then
  echo $KEYFILE | base64 -d > /keyfile.p12
fi

# run gorush here with whatever flags you need best way would be to specify the `keyfile.p12` that you've generated in your config file
gorush -c config.yml

Then you can expand without modification and deploy safely.

I'll write this up in a README.me and do a PR for you to review once I prove this concept on this repo. This actually works really well for CI/CD that we're using.

appleboy commented 6 years ago

@johnjjung Waiting for your PR. Thanks. 👍

johnjjung commented 6 years ago

@appleboy

gorush_1  | standard_init_linux.go:195: exec user process caused "no such file or directory"

I keep getting this error, I see you're using plugins/base:multiarch docker image, I'm not familiar with it, can you point me in the right direction in debugging this?

I can't seem to do even simple printenv in the docker container.

johnjjung commented 6 years ago

I just changed the Dockerfile to alpine:latest for now, I'll circle back to this

johnjjung commented 6 years ago

Hm... this is proving to be not as straightforward as many things in life...

gorush_1  | time="2017/12/08 - 18:56:43" level=error msg="Cert Error:pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:0 tag:19 length:48 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2" 

So apparently after I dynamically create a cert.p12 from a base64 env it's having trouble reading it

johnjjung commented 6 years ago

ok got it working now, gotta convert the cert.p12 to a pem file.

beeing commented 3 weeks ago

Hi guys, I know this has been awhile, is there a roadmap to specify different cert via API to support multi-tenancy?

Thanks in advance.