fix(certs): use mounted certs instead of built into image ones

Signed-off-by: Boris Glimcher <[email protected]>
opiproject · Jun 12, 2024 · d38ee44 · d38ee44
1 parent 120947f
commit d38ee44
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,7 +9,11 @@ services:
     image: ghcr.io/opiproject/opi-sztp-server:main
     build:
       context: sztp-server
+    depends_on:
+      setup-cert:
+        condition: service_completed_successfully
     volumes:
+      - server-certs:/certs
       - ./sztp-server/images:/media
     environment:
       SZTPD_INIT_PORT: 6080
@@ -32,6 +36,11 @@ services:
     image: ghcr.io/opiproject/opi-sztp-server:main
     build:
       context: sztp-server
+    depends_on:
+      setup-cert:
+        condition: service_completed_successfully
+    volumes:
+      - server-certs:/certs
     environment:
       SZTPD_INIT_PORT: 6080
       SZTPD_NBI_PORT: 7070
@@ -92,8 +101,8 @@ services:
     entrypoint: /bin/bash
     command: >
       -c '
-        set -e
-        cp sztpd1/sbi/end-entity/private_key.pem sztpd1/sbi/end-entity/my_cert.pem /tmp/ta_cert_chain.pem /certs/server/
+        set -ex
+        cp sztpd1/sbi/end-entity/private_key.{pem,der} sztpd1/sbi/end-entity/public_key.der sztpd1/sbi/end-entity/my_cert.pem /tmp/cert_chain.{pem,cms} /tmp/ta_cert_chain.{pem,cms} /certs/server/
         cp client/end-entity/private_key.pem client/end-entity/my_cert.pem /opi.pem /certs/client/
       '
 

diff --git a/sztp-server/docker-entrypoint.sh b/sztp-server/docker-entrypoint.sh
@@ -24,11 +24,11 @@ envsubst '$BOOT_IMG_HASH_VAL' < /tmp/"${SZTPD_OPI_MODE}".json.configs > /tmp/"${
 diff /tmp/"${SZTPD_OPI_MODE}".json.configs /tmp/"${SZTPD_OPI_MODE}".json.images || true
 
 # shellcheck disable=SC2016
-SBI_PRI_KEY_B64=$(openssl enc -base64 -A -in sztpd1/sbi/end-entity/private_key.der) \
-SBI_PUB_KEY_B64=$(openssl enc -base64 -A -in sztpd1/sbi/end-entity/public_key.der) \
-SBI_EE_CERT_B64=$(openssl enc -base64 -A -in /tmp/cert_chain.cms) \
-BOOTSVR_TA_CERT_B64=$(openssl enc -base64 -A -in /tmp/ta_cert_chain.cms) \
-CLIENT_CERT_TA_B64=$(openssl enc -base64 -A -in /tmp/ta_cert_chain.cms) \
+SBI_PRI_KEY_B64=$(openssl enc -base64 -A -in /certs/private_key.der) \
+SBI_PUB_KEY_B64=$(openssl enc -base64 -A -in /certs/public_key.der) \
+SBI_EE_CERT_B64=$(openssl enc -base64 -A -in /certs/cert_chain.cms) \
+BOOTSVR_TA_CERT_B64=$(openssl enc -base64 -A -in /certs/ta_cert_chain.cms) \
+CLIENT_CERT_TA_B64=$(openssl enc -base64 -A -in /certs/ta_cert_chain.cms) \
 envsubst '$CLIENT_CERT_TA_B64,$SBI_PRI_KEY_B64,$SBI_PUB_KEY_B64,$SBI_EE_CERT_B64,$BOOTSVR_TA_CERT_B64' < /tmp/"${SZTPD_OPI_MODE}".json.images > /tmp/"${SZTPD_OPI_MODE}".json.keys
 diff /tmp/"${SZTPD_OPI_MODE}".json.images /tmp/"${SZTPD_OPI_MODE}".json.keys || true