Skip to content

Instantly share code, notes, and snippets.

@tashian

tashian/Dockerfile.mongo.ca_bootstrap

Last active October 5, 2021 20:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tashian/601d9c6ceb0e9a3c3c1a3b121586d2af to your computer and use it in GitHub Desktop.
Save tashian/601d9c6ceb0e9a3c3c1a3b121586d2af to your computer and use it in GitHub Desktop.
Download ZIP
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust
Raw
Dockerfile.mongo.ca_bootstrap
FROM mongo
ARG CA_URL
ARG CA_FINGERPRINT
ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
RUN apt update; \
apt install -y --no-install-recommends \
curl \
jq \
openssl \
; \
curl -ks "${CA_URL}/root/${CA_FINGERPRINT}" \
| jq -re ".ca" \
| tee /usr/local/share/ca-certificates/root_ca.crt; \
fingerprint=$(openssl x509 -in /usr/local/share/ca-certificates/root_ca.crt -noout -sha256 -fingerprint \
| tr -d ":" \
| cut -d "=" -f 2 \
| tr "[:upper:]" "[:lower:]"); \
if [ $fingerprint = ${CA_FINGERPRINT} ]; then \
/usr/sbin/update-ca-certificates; \
else \
echo >&2; \
echo >&2 "error: CA certificate fingerprint $fingerprint does not match expected value ${CA_FINGERPRINT}"; \
echo >&2; \
exit 1; \
fi; \
rm -rf /var/lib/apt/lists/*
@tashian
Copy link
Author

tashian commented Oct 5, 2021
edited

CA_URL and CA_FINGERPRINT should be supplied as build args, eg.

docker build . --build-arg "CA_FINGERPRINT=c8de28e...620ecaa" \
        --build-arg "CA_URL=https://ca:4443/"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment