fix(docker): fix ca entrypoint logic and healthcheck

With this commit, it is advised to `rm ./data/root_ca.crt ./data/*.pem`, as new certificates and a root CA will be generated while utilizing the step volume. Closes #367 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-08-13 23:17:53 -07:00 · 2022-08-13 23:17:53 -07:00 · d63615a994
commit d63615a994
parent 6f7ac33166
3 changed files with 34 additions and 40 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,8 +31,10 @@ services:
    entrypoint: /docker/ca-entrypoint.sh
    command: /docker/scripts/run-ca.sh
    healthcheck:
-      test: "bash /docker/health/run-ca.sh"
-      interval: 2s
+      test: "bash /docker/health/ca.sh"
+      interval: 3s
+    volumes:
+      - step:/root/.step

  memcached:
    image: aurweb:latest
@ -40,7 +42,7 @@ services:
    command: /docker/scripts/run-memcached.sh
    healthcheck:
      test: "bash /docker/health/memcached.sh"
-      interval: 2s
+      interval: 3s
 
  redis:
    image: aurweb:latest
@ -49,7 +51,7 @@ services:
    command: /docker/scripts/run-redis.sh
    healthcheck:
      test: "bash /docker/health/redis.sh"
-      interval: 2s
+      interval: 3s
    ports:
      - "127.0.0.1:16379:6379"

@ -67,7 +69,7 @@ services:
      - mariadb_data:/var/lib/mysql
    healthcheck:
      test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s

  mariadb_init:
    image: aurweb:latest
@ -98,7 +100,7 @@ services:
      - mariadb_test_run:/var/run/mysqld # Bind socket in this volume.
    healthcheck:
      test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s

  git:
    image: aurweb:latest
@ -113,7 +115,7 @@ services:
      - "2222:2222"
    healthcheck:
      test: "bash /docker/health/sshd.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      mariadb_init:
        condition: service_started
@ -129,7 +131,7 @@ services:
    command: /docker/scripts/run-smartgit.sh
    healthcheck:
      test: "bash /docker/health/smartgit.sh"
-      interval: 2s
+      interval: 3s

  cgit-php:
    image: aurweb:latest
@ -142,7 +144,7 @@ services:
    command: /docker/scripts/run-cgit.sh 3000
    healthcheck:
      test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -162,7 +164,7 @@ services:
    command: /docker/scripts/run-cgit.sh 3000
    healthcheck:
      test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -199,7 +201,7 @@ services:
    command: /docker/scripts/run-php.sh
    healthcheck:
      test: "bash /docker/health/php.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -228,7 +230,7 @@ services:
    command: /docker/scripts/run-fastapi.sh "${FASTAPI_BACKEND}"
    healthcheck:
      test: "bash /docker/health/fastapi.sh ${FASTAPI_BACKEND}"
-      interval: 2s
+      interval: 3s
    depends_on:
      git:
        condition: service_healthy
@ -254,10 +256,10 @@ services:
      - "127.0.0.1:8444:8444" # FastAPI
    healthcheck:
      test: "bash /docker/health/nginx.sh"
-      interval: 2s
+      interval: 3s
    depends_on:
      ca:
-        condition: service_started
+        condition: service_healthy
      cgit-php:
        condition: service_healthy
      cgit-fastapi:
--- a/docker/ca-entrypoint.sh
+++ b/docker/ca-entrypoint.sh
@ -89,27 +89,12 @@ step_cert_request() {
    chmod 666 /data/${1}.*.pem
 }

-if [ ! -f $DATA_ROOT_CA ]; then
+if [ ! -d /root/.step/config ]; then
+    # Remove existing certs.
+    rm -vf /data/localhost.{cert,key}.pem /data/root_ca.crt
+
    setup_step_ca
    install_step_ca
-fi
-
-# For all hosts separated by spaces in $DATA_CERT_HOSTS, perform a check
-# for their existence in /data and react accordingly.
-for host in $DATA_CERT_HOSTS; do
-    if [ -f /data/${host}.cert.pem ] && [ -f /data/${host}.key.pem ]; then
-        # Found an override. Move on to running the service after
-        # printing a notification to the user.
-        echo "Found '${host}.{cert,key}.pem' override, skipping..."
-        echo -n "Note: If you need to regenerate certificates, run "
-        echo '`rm -f data/*.{cert,key}.pem` before starting this service.'
-        exec "$@"
-    else
-        # Otherwise, we had a missing cert or key, so remove both.
-        rm -f /data/${host}.cert.pem
-        rm -f /data/${host}.key.pem
-    fi
-done

    start_step_ca
    for host in $DATA_CERT_HOSTS; do
@ -117,6 +102,13 @@ for host in $DATA_CERT_HOSTS; do
    done
    kill_step_ca

+    echo -n "WARN: Your certificates are being regenerated to resolve "
+    echo -n "an inconsistent step-ca state. You will need to re-import "
+    echo "the root CA certificate into your browser."
+else
+    exec "$@"
+fi
+
 # Set permissions to /data to rwx for everybody.
 chmod 777 /data

--- a/docker/health/ca.sh
+++ b/docker/health/ca.sh
@ -1,2 +1,2 @@
-
-exec printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/8443
+#!/bin/bash
+exec curl -qkiI 'https://localhost:8443/'