Refactor server to make use of Docker secrets

services/Makefile

@@ -1,14 +1,13 @@
-.PHONY: all build clean format test gen-certs-go
+.PHONY: all build clean format test
 
 docker: clean format install
-	docker-compose build
+	docker build -t selfpass:latest .
 
-build: gen-certs-go
+build:
 	go build -mod=vendor -o ./bin/server ./cmd
-	rm ./cmd/certs.go
 
 clean:
-	rm -rf ./bin ./vendor ./cmd/certs.go
+	rm -rf ./bin ./vendor
 
 local:
 	docker-compose up -d
@@ -30,32 +29,38 @@ machine-create-google:
 	    --google-machine-image https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20190514 \
 	    --google-username selfpass \
 	    --google-zone us-west1-c \
-	    selfpass01
-	$(MAKE) machine-put-data
+	    ${DOCKER_MACHINE_NAME}
 	$(MAKE) machine-install-stackdriver-agent
 	$(MAKE) machine-add-grpc-server-tag
 
 machine-rm:
-	docker-machine rm selfpass01
+	docker-machine rm ${DOCKER_MACHINE_NAME}
 
 machine-ssh:
-	docker-machine ssh selfpass01
+	docker-machine ssh ${DOCKER_MACHINE_NAME}
 
 machine-put-data:
-	docker-machine ssh selfpass01 "if [[ ! -e data ]]; then mkdir data && chmod 777 data; fi"
-	docker-machine scp ./data/bolt.db selfpass01:data/bolt.db
-	docker-machine ssh selfpass01 "chmod 666 data/bolt.db"
+	docker-machine ssh ${DOCKER_MACHINE_NAME} "if [[ ! -e data ]]; then mkdir data && chmod 777 data; fi"
+	docker-machine scp ./data/bolt.db ${DOCKER_MACHINE_NAME}:data/bolt.db
+	docker-machine ssh ${DOCKER_MACHINE_NAME} "chmod 666 data/bolt.db"
 
 machine-get-data:
-	docker-machine scp selfpass01:data/bolt.db ./data/
+	docker-machine scp ${DOCKER_MACHINE_NAME}:data/bolt.db ./data/
+
+machine-put-certs:
+	docker-machine ssh ${DOCKER_MACHINE_NAME} "if [[ ! -e certs ]]; then mkdir certs; fi && chmod -R 755 certs"
+	docker-machine scp ./certs/ca.pem ${DOCKER_MACHINE_NAME}:certs/ca.pem
+	docker-machine scp ./certs/server.pem ${DOCKER_MACHINE_NAME}:certs/server.pem
+	docker-machine scp ./certs/server-key.pem ${DOCKER_MACHINE_NAME}:certs/server-key.pem
+	docker-machine ssh ${DOCKER_MACHINE_NAME} "chmod 444 certs/*"
 
 machine-add-grpc-server-tag:
-	gcloud compute instances add-tags selfpass01 \
+	gcloud compute instances add-tags ${DOCKER_MACHINE_NAME} \
 		--zone us-west1-c \
 		--tags grpc-server
 
 machine-install-stackdriver-agent:
-	docker-machine ssh selfpass01 "curl -sSO https://dl.google.com/cloudagents/install-monitoring-agent.sh && sudo bash install-monitoring-agent.sh"
+	docker-machine ssh ${DOCKER_MACHINE_NAME} "curl -sSO https://dl.google.com/cloudagents/install-monitoring-agent.sh && sudo bash install-monitoring-agent.sh"
 
 format:
 	gofmt -w -s -l .
@@ -85,8 +90,5 @@ gen-server-cert:
 gen-client-cert:
 	cd certs && cfssl gencert -ca ca.pem -ca-key ca-key.pem -profile client csr.json | cfssljson -bare client
 
-gen-certs-go:
-	./gen_certs_go.sh > ./cmd/certs.go
-
 test:
 	go test -cover ./...

services/cmd/main.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"flag"
 	"io"
+	"io/ioutil"
 	stdlog "log"
 	"net"
 	"os"
@@ -31,6 +32,9 @@ func main() {
 		jsonLogs = flag.Bool("json-logs", false, "enables json logging")
 		port     = flag.String("port", "8080", "specify the port to listen on")
 		verbose  = flag.Bool("v", false, "be more verbose")
+		caFile   = flag.String("ca", "/run/secrets/ca", "specify an alternate ca file")
+		certFile = flag.String("cert", "/run/secrets/cert", "specify an alternate cert file")
+		keyFile  = flag.String("key", "/run/secrets/key", "specify an alternate key file")
 	)
 	flag.Parse()
 
@@ -40,11 +44,18 @@ func main() {
 
 	logger = newLogger(os.Stdout, *jsonLogs)
 
-	keypair, err := tls.X509KeyPair([]byte(cert), []byte(key))
+	ca, err := ioutil.ReadFile(*caFile)
+	check(err)
+	cert, err := ioutil.ReadFile(*certFile)
+	check(err)
+	key, err := ioutil.ReadFile(*keyFile)
+	check(err)
+
+	keypair, err := tls.X509KeyPair(cert, key)
 	check(err)
 
 	caPool := x509.NewCertPool()
-	caPool.AppendCertsFromPEM([]byte(ca))
+	caPool.AppendCertsFromPEM(ca)
 
 	creds := credentials.NewTLS(&tls.Config{
 		Certificates:             []tls.Certificate{keypair},

services/docker-compose.prod.yml

@@ -1,7 +1,15 @@
 version: "3.7"
 services:
   server:
+    image: mjfs/selfpass:latest
     entrypoint:
       - server
     volumes:
       - "/home/selfpass/data:/home/selfpass/data"
+secrets:
+  ca:
+    file: "/home/selfpass/certs/ca.pem"
+  cert:
+    file: "/home/selfpass/certs/server.pem"
+  key:
+    file: "/home/selfpass/certs/server-key.pem"

services/docker-compose.yml

@@ -1,7 +1,7 @@
 version: "3.7"
 services:
   server:
-    build: .
+    image: selfpass:latest
     restart: on-failure
     entrypoint:
       - server
@@ -10,3 +10,14 @@ services:
       - "8080:8080"
     volumes:
       - "./data:/home/selfpass/data"
+    secrets:
+      - ca
+      - cert
+      - key
+secrets:
+  ca:
+    file: "./certs/ca.pem"
+  cert:
+    file: "./certs/server.pem"
+  key:
+    file: "./certs/server-key.pem"

services/gen_certs_go.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env sh
-ca=$(cat ./certs/ca.pem)
-cert=$(cat ./certs/server.pem)
-key=$(cat ./certs/server-key.pem)
-
-cat << EOM
-// Code generated by gen_certs_go.sh, DO NOT EDIT.
-package main
-
-const ca = \`${ca}\`
-const cert = \`${cert}\`
-const key = \`${key}\`
-EOM