docker related

docker/scripts/generate-certs.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# Docker TLS Certificate Generation Script
+# Generates CA, server, and client certificates for secure Docker API access
+
+set -e
+
+CERTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/certs"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Configuration
+DAYS=3650  # 10 years
+COUNTRY="NO"
+STATE="Norway"
+CITY="Oslo"
+ORG="Lovdata Chat"
+OU="DevOps"
+EMAIL="admin@lovdata-chat.local"
+
+# Environment-specific settings
+ENVIRONMENT="${DOCKER_ENV:-development}"
+DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}"
+DOCKER_HOST_NAME="${DOCKER_HOST_NAME:-localhost}"
+
+echo "Generating Docker TLS certificates for environment: $ENVIRONMENT"
+echo "Certificate directory: $CERTS_DIR"
+
+# Create certificates directory
+mkdir -p "$CERTS_DIR"
+
+# Generate CA private key and certificate
+echo "Generating CA certificate..."
+openssl genrsa -aes256 -passout pass:password -out "$CERTS_DIR/ca-key.pem" 4096
+openssl req -new -x509 -days $DAYS -key "$CERTS_DIR/ca-key.pem" -passin pass:password -sha256 \
+    -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$OU/CN=Docker-CA-$ENVIRONMENT/emailAddress=$EMAIL" \
+    -out "$CERTS_DIR/ca.pem"
+
+# Generate server private key and certificate
+echo "Generating server certificate..."
+openssl genrsa -out "$CERTS_DIR/server-key.pem" 4096
+
+# Create server certificate signing request
+openssl req -subj "/CN=$DOCKER_HOST_NAME" -new -key "$CERTS_DIR/server-key.pem" \
+    -out "$CERTS_DIR/server.csr"
+
+# Create server extensions file
+cat > "$CERTS_DIR/server-extfile.cnf" << EOF
+subjectAltName = IP:$DOCKER_HOST_IP,DNS:$DOCKER_HOST_NAME,DNS:localhost,IP:127.0.0.1
+extendedKeyUsage = serverAuth
+EOF
+
+# Sign server certificate
+openssl x509 -req -days $DAYS -in "$CERTS_DIR/server.csr" -CA "$CERTS_DIR/ca.pem" \
+    -CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \
+    -out "$CERTS_DIR/server-cert.pem" -sha256 -extfile "$CERTS_DIR/server-extfile.cnf"
+
+# Generate client private key and certificate
+echo "Generating client certificate..."
+openssl genrsa -out "$CERTS_DIR/client-key.pem" 4096
+
+# Create client certificate signing request
+openssl req -subj "/CN=docker-client-$ENVIRONMENT" -new -key "$CERTS_DIR/client-key.pem" \
+    -out "$CERTS_DIR/client.csr"
+
+# Create client extensions file
+cat > "$CERTS_DIR/client-extfile.cnf" << EOF
+extendedKeyUsage = clientAuth
+EOF
+
+# Sign client certificate
+openssl x509 -req -days $DAYS -in "$CERTS_DIR/client.csr" -CA "$CERTS_DIR/ca.pem" \
+    -CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \
+    -out "$CERTS_DIR/client-cert.pem" -sha256 -extfile "$CERTS_DIR/client-extfile.cnf"
+
+# Clean up temporary files
+rm -f "$CERTS_DIR/ca.srl" "$CERTS_DIR/server.csr" "$CERTS_DIR/client.csr"
+rm -f "$CERTS_DIR/server-extfile.cnf" "$CERTS_DIR/client-extfile.cnf"
+
+# Set proper permissions
+chmod 0400 "$CERTS_DIR/ca-key.pem" "$CERTS_DIR/server-key.pem" "$CERTS_DIR/client-key.pem"
+chmod 0444 "$CERTS_DIR/ca.pem" "$CERTS_DIR/server-cert.pem" "$CERTS_DIR/client-cert.pem"
+
+echo "Certificate generation complete!"
+echo ""
+echo "Generated files:"
+echo "  CA Certificate: $CERTS_DIR/ca.pem"
+echo "  Server Certificate: $CERTS_DIR/server-cert.pem"
+echo "  Server Key: $CERTS_DIR/server-key.pem"
+echo "  Client Certificate: $CERTS_DIR/client-cert.pem"
+echo "  Client Key: $CERTS_DIR/client-key.pem"
+echo ""
+echo "Environment variables for docker-compose.yml:"
+echo "  DOCKER_TLS_VERIFY=1"
+echo "  DOCKER_CERT_PATH=$CERTS_DIR"
+echo "  DOCKER_HOST=tcp://$DOCKER_HOST_IP:2376"
+echo ""
+echo "For production, ensure certificates are securely stored and rotated regularly."