6f415b0fec
This commit removes the key generation stage of building Anchor containers. When a container is started it will look for a key in a docker volume named '/key' if there is a correctly formatted key it will attempt to use it. If not it will generate one before starting normal operations. Change-Id: I569f0fe07171faeed0cffc7c87f3075a094ec811
68 lines
2.7 KiB
Python
68 lines
2.7 KiB
Python
import os
|
|
import shutil
|
|
|
|
from subprocess import call
|
|
|
|
import logging
|
|
|
|
logging.basicConfig()
|
|
logger = logging.getLogger('Anchor_Bootstrap')
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
# This script looks for two mounted volumes '/key' and '/config'. They can
|
|
# contain key material and configuration files respectively. If data is found
|
|
# in either of these volumes it will be used to over-write the defaults within
|
|
# the Anchor container.
|
|
# In the case that '/key' is empty. This script will generate a new private key
|
|
# and copy that over the one to be used by Anchor.
|
|
# In the case that '/config' is empty no action will be taken
|
|
|
|
# It's worth noting that the default location for key material can be modified
|
|
# in the config.json. That's really up to the deployer.
|
|
|
|
# The reason we have a separate /key volume is to trigger a new key to be
|
|
# created even if we want to use a default configuration.
|
|
|
|
newkey_newcert = ["openssl", "req", "-out", "CA/root-ca.crt", "-keyout",
|
|
"CA/root-ca-unwrapped.key", "-newkey", "rsa:4096", "-subj",
|
|
"/CN=Anchor Test CA", "-nodes", "-x509", "-days", "365"]
|
|
|
|
newcert_existkey = ["openssl", "req", "-new" "-out", "CA/root-ca.crt", "-key",
|
|
"/key/root-ca-unwrapped.key", "-subj", "/CN=Anchor Test CA",
|
|
"-nodes", "-x509", "-days", "365"]
|
|
|
|
# Anchor containers no longer build with built in keys. See if a deployer has
|
|
# provided a key, if they have, use that. If not then build one now. The key
|
|
# built in this way will disappear along with the container.
|
|
if os.path.exists('/key/root-ca-unwrapped.key'):
|
|
if os.path.exists('/key/root-ca.crt'):
|
|
# Provided both a key and a certificate
|
|
logger.info("Private key and certificate provided")
|
|
shutil.copy2('/key/root-ca-unwrapped.key', 'CA/')
|
|
shutil.copy2('/key/root-ca.crt', 'CA/')
|
|
os.chmod('CA/root-ca-unwrapped.key', 0400)
|
|
else:
|
|
# Provided key but no certificate
|
|
logger.info("Key provided without certificate. Generating certificate")
|
|
call(newcert_existingkey)
|
|
shutil.copy2('/key/root-ca-unwrapped.key', 'CA/')
|
|
os.chmod('CA/root-ca-unwrapped.key', 0400)
|
|
else:
|
|
logger.info("No key provided, Anchor will generate a dynamic one")
|
|
logger.info("To use a persistent key, create one and provide it in a key volume")
|
|
logger.info("Generating new key and certificate")
|
|
call(newkey_newcert) #No key or cert provided. Possibly no /key volume at all
|
|
os.chmod('CA/root-ca-unwrapped.key', 0400)
|
|
|
|
|
|
# If the user has provdided a config file in a /config volume, use that
|
|
#/config
|
|
if os.path.exists('/config/config.json'):
|
|
shutil.copy2('/config/config.json','./')
|
|
|
|
if os.path.exists('/config/config.py'):
|
|
shutil.copy2('/config/config.py','./')
|
|
|
|
#Start the pecan service
|
|
call(['pecan','serve','config.py'])
|