Add Alpine linux support

ed0b112a · Carl Tashian · dabd09f7 · ed0b112a · ed0b112a · ed0b112a
Commit ed0b112a authored 3 years ago by Carl Tashian
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
+FROM alpine
+
+# Change these, or supply them via build args:
+ARG CA_URL=https://certmgr.beta.ca.smallstep.com
+ARG CA_FINGERPRINT=5d7858904294e59aac64c41b38feb6154fb22e51d4095cde500be56c8a93cacf
+
+ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
+RUN apt update; \
+    apk --no-cache add \
+        curl \
+        jq \
+        openssl \
+    ; \
+    curl -ks "${CA_URL}/root/${CA_FINGERPRINT}" \
+      | jq -re ".ca" \
+      | tee /usr/local/share/ca-certificates/root_ca.crt; \
+    fingerprint=$(openssl x509 -in /usr/local/share/ca-certificates/root_ca.crt -noout -sha256 -fingerprint \
+                    | tr -d ":" \
+                    | cut -d "=" -f 2 \
+                    | tr "[:upper:]" "[:lower:]"); \
+    if [ $fingerprint = ${CA_FINGERPRINT} ]; then \
+	  /usr/sbin/update-ca-certificates; \
+    else \
+      echo >&2; \
+      echo >&2 "error: CA cert fingerprint $fingerprint does not match expected value ${CA_FINGERPRINT}"; \
+      echo >&2; \
+      exit 1; \
+    fi; \
+
--- a/Dockerfile
+++ b/Dockerfile
--- a/README.md
+++ b/README.md
 # docker-ca-trust

-This is an example of a Docker image that bootstraps with an internal [`step-ca`](https://github.com/smallstep/certificates/) server.
-It can serve as a pattern for trusting internal CAs, for any Ubuntu-based Docker image.
-The CA URL and Fingerprint can be hardcoded in the `Dockerfile` or supplied as build arguments.
+This is a set of Dockerfiles that can bootstrap an internal [`step-ca`](https://github.com/smallstep/certificates/) server on top of an OS image.
+It can serve as a pattern for trusting internal CAs, for any Docker image.

-This image can be layered on top of any Ubuntu-based server image.
-For example, change `FROM ubuntu:focal` to `FROM mongo` and you will get a MongoDB server that trusts your CA.
-The CA certificate is stored in `/usr/local/share/ca-certificates/root_ca.crt` in the container.
+Supported base images:

-To build it:
+* `ubuntu:focal`
+* `alpine:latest`
+
+## Example usage
+
+Say we want the `mongo` image to trust an internal CA.  `mongo` uses `ubuntu:focal`. So start with `Dockerfile.ubuntu`, and change `FROM ubuntu:focal` to `FROM mongo`. Build it and you will get a MongoDB server that trusts your CA.
+
+The CA URL and Fingerprint can be hardcoded in the `Dockerfile`, or supplied as build arguments:

 ```
-docker build . --build-arg CA_URL=https://ca.smallstep.com --build-arg CA_FINGERPRINT=abc123123
+docker build -f Dockerfile.ubuntu . --build-arg CA_URL=https://ca.example.com --build-arg CA_FINGERPRINT=abc123123
+docker build -f Dockerfile.alpine . --build-arg CA_URL=https://ca.example.com --build-arg CA_FINGERPRINT=abc123123
 ```