Containerization¶
TeskaLabs SeaCat PKI is a Docker and Podman friendly.
The backend microservice can be deployed as a container, together with the rest of the application ecosystem (NGINX, MongoDB, etc.).
The whole containerized deployment can be orchestrated by docker compose, Kubernetes and other container orchestration tools.
Deployment via docker-compose¶
Used containers:
mongo: MongoDB databasenginx: NGINX API Gatewayseacatpki: TeskaLabs SeaCat PKI microserviceacme.sh: acme.sh Let's Encrypt client (optional)
Directory structure¶
docker-compose.yamlconf-nginx/nginx.conf
conf-seacatpki/seacatpki.conf
seacatpki/# SeaCat PKI Git repository clonedata-mongo/# A persistent data folder for Mongo DBlog/# Log filesacme.sh/# Let's encrypt / acme.sh files
docker-compose.yaml¶
services:
mongo:
image: mongo
volumes:
- ./data-mongo:/data/db
- ./log:/log
networks:
- seacatpkinet
nginx:
image: nginx:latest
depends_on:
- seacatpki
ports:
- 80:80/tcp
- 443:443/tcp
volumes:
- ./conf-nginx:/etc/nginx/conf.d
- ./log:/log
- ./acme.sh:/acme.sh
networks:
- seacatpkinet
seacatpki:
build: .
depends_on:
- mongo
volumes:
- ./conf-seacatpki:/conf
- ./log:/log
networks:
- seacatpkinet
acme-sh:
image: neilpang/acme.sh
command: daemon
volumes:
- ./acme.sh:/acme.sh
networks:
- seacatpkinet
networks:
seacatpkinet:
driver: bridge
nginx.conf¶
server {
listen 80 default_server;
server_name _;
server_tokens off;
access_log /log/nginx-access.log;
error_log /log/nginx-error.log;
location /.well-known/acme-challenge/ {
default_type text/plain;
proxy_read_timeout 60;
proxy_connect_timeout 60;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://acme-sh;
}
}
server {
listen 443 default_server ssl http2;
server_name _;
server_tokens off;
access_log /log/nginx-access-ssl.log;
error_log /log/nginx-error-ssl.log;
ssl_certificate /acme.sh/example.com_ecc/fullchain.cer;
ssl_certificate_key /acme.sh/example.com_ecc/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 4h;
add_header Strict-Transport-Security max-age=31536000;
location / {
return 301 https://example.com;
}
}
Note
The SSL part (443) may be added only after acme.sh (below) issues certificate.
seacatpki.conf¶
[asab:storage]
type=mongodb
mongodb_uri=mongodb://mongo:27017/
mongodb_database=seacatpkidb
[web]
listen=0.0.0.0 8080
[logging:file]
path=/log/seacatpki.log
acme.sh¶
The script acme.sh is used to obtain Let's Encrypt certificate.
$ docker-compose exec acme-sh acme.sh \
--update-account --accountemail you@yourdomain.com
$ docker-compose exec acme-sh acme.sh \
--standalone --keylength ec-384 --issue -d example.com
Tip
Automatic renewals are handled by this container too.
Container image¶
The TeskaLabs SeaCat PKI microservice image is based on Alpine Linux. TeskaLabs distributes the container image via its private container registry.
The container image contains SoftHSM2 and OpenSSL libraries.
Dockerfile
There is a Dockerfile available in the root of the SeaCat PKI microservice repository.