How to pass the Ca cert of mongodb while running docker image

Question

How to pass the Ca cert of mongodb while running docker image

Rekha-Prakash opened this issue 3 years ago · 2 comments

Rekha-Prakash commented 3 years ago

Expected Behavior

Connecting to enterprise MongoDB with CA cert using docker image

Current Behavior

Not finding an option to pass the CA crt to the docket image.

Context

I am trying to connect to the enterprise mongodb which has cert. How can I pass the cert while running restheart docker image?

Option 1: Using env variable, where can I pass the cert, as the environment variable only has MONGO_URI.

docker run --rm-p8080:8080 -e MONGO_URI='mongodb://mongoappuser:@<XYC.com>:27117/?ssl=true&replicaSet=daas-mongodb&authSource=admin'-v/host/path/to/default.properties:/opt/restheart/etc/default.properties softinstigate/restheart

Option 2 mounting property file to docker, Where can I pass the cert in restheart.yml or default.properties file ?

docker run -d -p 80:8080 --name restheart -v /git/restheart/etc:/opt/restheart/etc:ro softinstigate/restheart

Answer 1 · 2022-02-28T08:25:44.000Z

Hi,

This is how I'd do it:

You have to create the keystore by importing the certificate used by mongod with the keytool command

If you have a look at Connect to MongoDB over TLS/SSL in our documentation, you see how to do it outside a container.

Then I would run the container overriding its default ENTRYPOINT

FROM eclipse-temurin:17-jre

LABEL maintainer="SoftInstigate <info@softinstigate.com>"

WORKDIR /opt/restheart
COPY etc/restheart.yml etc/acl.yml etc/users.yml etc/
COPY etc/docker.properties etc/default.properties
COPY target/restheart.jar /opt/restheart/
COPY target/plugins/* /opt/restheart/plugins/

ENTRYPOINT [ "java", "-Dfile.encoding=UTF-8", "-server", "-jar", "restheart.jar", "etc/restheart.yml"]
CMD ["--envFile", "etc/default.properties"]
EXPOSE 8009 8080 4443

Which means:

$ docker run --rm-p8080:8080 -e MONGO_URI="<...>" --entrypoint "java -Dfile.encoding=UTF-8 -server -Djavax.net.ssl.trustStore=rhTrustStore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.security.auth.useSubjectCredsOnly=false -jar restheart.jar etc/restheart.yml -e etc/default.properties" -v "/host/path/to/rhTrustStore:/opt/restheart/rhTrustStore" softinstigate/restheart

Also adding a -v to mount the file where the keystone is (named "rhTrustStore" in this example).

As mentioned, I have not tried this by myself yet.

Answer 2 · 2022-03-15T11:22:39.000Z

closing, feel free to reopen for additional help