Use container secrets securely

* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes #2270

Author: itoffshore

README.md

@@ -136,6 +136,9 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation
 [on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
 or by running `step help --http=:8080` from the command line
 and visiting http://localhost:8080.
+* [Examples](https://github.com/smallstep/certificates/tree/master/examples) including
+[Podman](https://github.com/smallstep/certificates/tree/master/examples/podman) &
+[Docker](https://github.com/smallstep/certificates/tree/master/examples/docker)
 
 ## Feedback?
 

docker/entrypoint.sh

@@ -32,6 +32,13 @@ function generate_password () {
     set -o pipefail
 }
 
+function set_password_files () {
+    local FILE_PATH=$1
+
+    ln -sf "${FILE_PATH}" "${STEPPATH}/password"
+    ln -sf "${FILE_PATH}" "${STEPPATH}/provisioner_password"
+}
+
 # Initialize a CA if not already initialized
 function step_ca_init () {
     DOCKER_STEPCA_INIT_PROVISIONER_NAME="${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
@@ -46,9 +53,8 @@ function step_ca_init () {
         --provisioner-password-file "${STEPPATH}/provisioner_password"
         --address "${DOCKER_STEPCA_INIT_ADDRESS}"
     )
-    if [ -n "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then
-        cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/password"
-        cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/provisioner_password"
+    if [ -f "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then
+	set_password_files "${DOCKER_STEPCA_INIT_PASSWORD_FILE}"
     elif [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
         echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
         echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password"
@@ -86,4 +92,8 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then
     init_if_possible
 fi
 
+if [ -f "${DOCKER_STEPCA_PASSWORD_FILE}" ]; then
+    set_password_files "${DOCKER_STEPCA_PASSWORD_FILE}"
+fi
+
 exec "${@}"

examples/podman/stepca.container.md

@@ -0,0 +1,50 @@
+## Example [Podman Quadlet container](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container) file
+
+* `~/.config/containers/systemd/stepca.container` (rootless)
+* `/etc/containers/systemd/stepca.container`      (rootful)
+
+```
+[Unit]
+Description=Smallstep Certificate Authority
+After=network-online.target
+
+[Container]
+PodmanArgs=--memory 50m --cpus 0.25
+PidsLimit=100
+DropCapability=ALL
+NoNewPrivileges=true
+AutoUpdate=registry
+ContainerName=stepca
+Environment=TZ="UTC"
+Environment="DOCKER_STEPCA_INIT_NAME=Example CA"
+Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.custom.domain,10.89.0.10,localhost,127.0.0.1
+Environment=DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin@custom.domain
+Environment=DOCKER_STEPCA_INIT_SSH=true
+Environment=DOCKER_STEPCA_INIT_ACME=true
+Environment=DOCKER_STEPCA_INIT_PASSWORD_FILE=/run/secrets/stepca
+HostName=stepca
+Image=docker.io/smallstep/step-ca
+PublishPort=10.89.0.10:9000:9000/tcp
+PublishPort=127.0.0.1:9000:9000/tcp
+Secret=source=stepca,type=mount,uid=1000,gid=1000,mode=400
+Volume=/path/to/volumes/stepca/config:/home/step:Z
+DNS=10.89.0.1
+DNSOption=~custom.domain
+ReloadSignal=SIGHUP
+# Use systemd restart policy
+HealthOnFailure=kill
+HealthStartPeriod=90s
+HealthStartupCmd=sleep 5
+HealthCmd=step ca health
+HealthInterval=30m
+HealthRetries=3
+HealthTimeout=20s
+
+[Service]
+Restart=always
+# Extend Timeout for image pulls
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target
+```

examples/podman/stepca.run.md

@@ -0,0 +1,47 @@
+## Example creation of a Podman container & secret
+
+* Using a [cryptographically strong secret from `openssl` with an `8192` character `hex` string](https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html#examples)
+
+see also:
+
+- [Create a "quadlet"](https://github.com/containers/podlet)
+- [examples/podman/stepca.container.md](https://github.com/smallstep/certificates/tree/master/examples/podman/stepca.container.md)
+
+```
+iface=wt0 # running over Netbird VPN
+ctr=stepca
+ip=$(ip -f inet addr show $iface | sed -En -e 's/.*inet ([0-9.]+).*/\1/p')
+repo=docker.io/smallstep/step-ca
+# TPM supported image
+# repo=docker.io/smallstep/step-ca:hsm
+ca="My CA"
+email="admin@custom.domain"
+dns="ca.custom.domain,$ip,localhost,127.0.0.1"
+volume="${HOME}/volumes/$ctr/config}"
+
+###############
+# auto config #
+###############
+
+bytes=8192
+mkdir -p $volume
+openssl rand -hex $bytes | podman secret create --replace $ctr -
+
+podman run -d --replace \
+    --name $ctr \
+    --hostname $ctr \
+    --secret source=$ctr,type=mount,uid=1000,gid=1000,mode=400 \
+    --env "DOCKER_STEPCA_INIT_NAME=$ca" \
+    --env "DOCKER_STEPCA_INIT_DNS_NAMES=$dns" \
+    --env "DOCKER_STEPCA_INIT_PROVISIONER_NAME=$email" \
+    --env "DOCKER_STEPCA_INIT_SSH=true" \
+    --env "DOCKER_STEPCA_INIT_ACME=true" \
+    --env "DOCKER_STEPCA_PASSWORD_FILE=/run/secrets/$ctr" \
+    --cap-drop ALL \
+    --restart always \
+    --label "io.containers.autoupdate=registry" \
+    -v $volume:/home/step:Z \
+$repo
+```
+
+* Running the container with `--privileged` should only be needed to [configure a TPM](https://smallstep.com/blog/trusted-platform-modules-tpms/).