No description
- Dockerfile 75.6%
- Shell 24.4%
| certs | ||
| kustomize | ||
| .gitignore | ||
| docker-entrypoint.sh | ||
| Dockerfile | ||
| httpd-foreground | ||
| httpd.conf | ||
| LICENSE | ||
| Readme.md | ||
Make a reverse proxy apache for ssl client certs
What's the idea?
You have a webapp and people or other apps get access to this app in the following circumstances:
- they have a client cert from a specific intermediate CA
- all this funny stuff runs in an Openshift / OKD or kubernetes cluster (kubernetes with contour ingress, OCP,OKD with route)
This is ment as an example for such a use case!
simulated situation
- Root CA:
emailAddress=webmaster@pflaeging.net,OU=development,O=pflaeging.net,L=Ulrichskirchen,ST=NOE,C=AT - Intermediate CA (the bad one):
emailAddress=webmaster@pflaeging.net,OU=The Bad,O=pflaeging.net,L=Ulrichskirchen,ST=NOE,C=AT - Intermediate CA (the good one):
emailAddress=webmaster@pflaeging.net,OU=The Good,O=pflaeging.net,L=Ulrichskirchen,ST=NOE,C=AT
Certificates are from both intermediate CA's, but we only trust "The good one" (as the name implies).
implementation
Implementation is:
- a docker build with
docker build -t quay.io/myuser/myimage:latest .(or podman). There's also a kustomize BuildConfig in ./kustomize/build/.
Have a view at the root-ca's in the Dockerfile, you will need it. - kustomize based (use ./kustomize/template/ as starting point)
- default is a passthrough Route for OpenShift / OKD
- The Apache httpd.conf is mounted as ConfigMap
- The certs for Apache are mounted as Secret
Peter Pfläging <peter@pflaeging.net>