8/15/2023 0 Comments Docker containers![]() ![]() SIGHUP) to rotate certificates? If so, that signal will need to come from inside the container's namespace a dedicated certificate management container may not be sufficient. Does the service require a signal (eg.Will the service reload its certificates at all? If not, the container will need to be restarted when the certificate is rotated a custom image may not be sufficient.Meanwhile, how a service handles TLS certificates will favor one approach over another: It could happen in a custom image that adds certificate management to a service but it's painful to build and maintain your own repository of custom images.It could be managed via a dedicated certificate management container and a shared volume mount but most managed PaaS environments disallow shared volume mounts.with a volume mount and a systemd renewal timer) but most managed PaaS environments disallow host access. It could live in the host environment (eg.There's also alternative container engines and runtimes, like Podman or gVisor.īottom line, there's no single place for certificate management to live in a Docker deployment: There's pure Docker containers running on VMs, lightweight orchestration environments like Docker Compose or Portainer, managed container environments like Amazon ECS, Heroku Runtime, Digital Ocean App Platform, or Azure Container Instances. Deployment: Moving the renewed certificate into place and signaling a certificate reload (or restarting the service)ĭocker runs in a lot of different contexts, even outside of the Kubernetes world.Renewal: Renewing the container's certificate when it nears expiry. ![]() Enrollment: Authenticating the container with the CA and requesting a TLS certificate for the container.Bootstrapping: Getting the container to trust your internal PKI.When working with certificates in containers, you will need to decide how and where and when to handle each of these tasks for any service: Requirements for Certificate Automation in Containers This opens you up to an infrastructure enumeration risk. Your internal TLS certificate metadata will be published in public Certificate Transparency logs. You could get Web PKI certificates for all of your Docker containers and internal services. "Why have an internal PKI? Just use Let's Encrypt certificates." For example, you might have a containerized service that maps itself to a port on localhost, and you run a reverse proxy on the host side that adds TLS.įinally, it's worth noting that TLS-terminating proxies preclude the addition of TLS client authentication or mutual TLS between your clients and servers, any you may want to add that down the road (for full Beast Mode Zero Trust).Īnd if you need load balancing, you can always use an L4 load balancer for TLS traffic. That said, there are some cases where a reverse proxy configuration can still be quite secure. You still have unauthenticated, unencrypted traffic flowing across your internal network. With a reverse proxy in front of your Docker services, you're still running HTTP. Zero Trust or BeyondProd approaches require authenticated and encrypted communications everywhere, including between services on internal networks. ![]() Given that Zero Trust is a vague marketing term, let me be clear. But a TLS-terminating proxy is not Zero Trust. ![]() And the proxy server can also act as a load balancer, and it can aggregate services from several containers as well.įor a lot of people, this may be sufficient. This is a very common approach, because it works with almost any service. Just terminate TLS at a reverse proxy, and pass the traffic to containers on an internal network via HTTP. It's true: The simplest way to add TLS to Docker services is to not add TLS to Docker services. "Why get certificates to containers at all? Just use a reverse proxy." The examples use our open-source step CLI tool, which connects to either your own step-ca server or a Smallstep Certificate Manager hosted CA, but many of the approaches here could be adapted for other CAs, or for Web PKI certificates. In this post, I'll share some patterns for automating TLS certificate management in Docker when using an internal PKI, and show several examples. There's no single answer for TLS certificate management in Docker. While pure Linux services can leverage cron or systemd timers and clients like certbot for certificate renewal, and Kubernetes has packages like cert-manager for certificate management, Docker containers have minimal tooling around them. As we set out to create our Practical Zero Trust guide to server TLS, we wanted to help DevOps folks automate certificate management for services that run in three different contexts: Linux, Docker, and Kubernetes.ĭocker has proven to be the most difficult environment for certificate automation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |