-
Notifications
You must be signed in to change notification settings - Fork 6
/
docker.yml
119 lines (119 loc) · 5.07 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
application:
configuration:
configuration.imageId: "ami-1ccae774"
configuration.hardwareId: "m3.medium"
configuration.locationId: "us-east-1"
configuration.login: "ec2-user"
configuration.group: "default"
interfaces:
configuration:
imageId: bind(compute#configuration.imageId)
hardwareId: bind(compute#configuration.hardwareId)
locationId: bind(compute#configuration.locationId)
login: bind(compute#configuration.login)
group: bind(compute#configuration.group)
docker:
"*": "bind(docker#docker.*)"
components:
docker:
type: cobalt.docker.Service
compute:
type: compute.Instance
installer:
type: workflow.Instance
interfaces:
compute:
networks: consume-signal(map<string, map<string, string>>)
exec: send-command(string command, int timeout => string stdOut, string stdErr => string stdOut, string stdErr, int exitCode)
result:
address: publish-signal(string)
client-key: publish-signal(string)
client-certificate: publish-signal(string)
ca-certificate: publish-signal(string)
required:
- compute
configuration:
configuration.workflows:
launch:
steps:
install:
action: execrun
parameters:
roles: [ compute ]
isSudo: true
command: [ "yum -y -q install docker" ]
get-signals:
action: getSignals
output:
signals: result
generate-keys:
action: execrun
precedingPhases: [ install, get-signals ]
parameters:
roles: [ compute ]
isSudo: false
command:
- bash -exc
- |
mkdir -p certs
cd certs
echo 01 > ca.srl
openssl genrsa -out ca-key.pem 2048
openssl genrsa -out server-key.pem 2048
openssl genrsa -out client-key.pem 2048
openssl req -new -nodes -x509 -days 3650 -subj '/O=Docker' -key ca-key.pem -out ca.pem
openssl req -new -nodes -subj '/CN=*' -key server-key.pem -out server.csr
echo 'subjectAltName = IP:{$.signals.compute.networks.public.ip}' > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf
openssl req -new -nodes -subj '/CN=client' -key client-key.pem -out client.csr
echo 'extendedKeyUsage = clientAuth' > extfile.cnf
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
configure:
action: execrun
precedingPhases: [ generate-keys ]
parameters:
roles: [ compute ]
isSudo: true
command:
- bash -exc
- |
mkdir -p /var/ssl
cp certs/ca.pem certs/server-cert.pem certs/server-key.pem /var/ssl/
echo "OPTIONS='--host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2376 --tlsverify --tlscacert=/var/ssl/ca.pem --tlscert=/var/ssl/server-cert.pem --tlskey=/var/ssl/server-key.pem'" >/etc/sysconfig/docker
service docker restart
get-private-key:
action: execrun
precedingPhases: [ generate-keys ]
parameters:
roles: [ compute ]
isSudo: false
command: [ "cat certs/client-key.pem" ]
output:
clientKey: stdout
get-client-certificate:
action: execrun
precedingPhases: [ generate-keys ]
parameters:
roles: [ compute ]
isSudo: false
command: [ "cat certs/client-cert.pem" ]
output:
clientCertificate: stdout
get-ca-certificate:
action: execrun
precedingPhases: [ generate-keys ]
parameters:
roles: [ compute ]
isSudo: false
command: [ "cat certs/ca.pem" ]
output:
caCertificate: stdout
return:
address: { value: "{$.signals.compute.networks.public.ip}" }
client-key: { value: "{$.clientKey[*][0]}" }
client-certificate: { value: "{$.clientCertificate[*][0]}" }
ca-certificate: { value: "{$.caCertificate[*][0]}" }
bindings:
- [docker#host, installer]
- [docker#credentials, installer]
- [installer#compute, compute]