How to pass the Ca cert of mongodb while running docker image
Rekha-Prakash opened this issue · 2 comments
Expected Behavior
Connecting to enterprise MongoDB with CA cert using docker image
Current Behavior
Not finding an option to pass the CA crt to the docket image.
Context
I am trying to connect to the enterprise mongodb which has cert. How can I pass the cert while running restheart docker image?
Option 1: Using env variable, where can I pass the cert, as the environment variable only has MONGO_URI.
docker run --rm-p8080:8080 -e MONGO_URI='mongodb://mongoappuser:@<XYC.com>:27117/?ssl=true&replicaSet=daas-mongodb&authSource=admin'-v/host/path/to/default.properties:/opt/restheart/etc/default.properties softinstigate/restheart
Option 2 mounting property file to docker, Where can I pass the cert in restheart.yml or default.properties file ?
docker run -d -p 80:8080 --name restheart -v /git/restheart/etc:/opt/restheart/etc:ro softinstigate/restheart
Hi,
This is how I'd do it:
You have to create the keystore by importing the certificate used by mongod with the keytool command
If you have a look at Connect to MongoDB over TLS/SSL in our documentation, you see how to do it outside a container.
Then I would run the container overriding its default ENTRYPOINT
FROM eclipse-temurin:17-jre
LABEL maintainer="SoftInstigate <info@softinstigate.com>"
WORKDIR /opt/restheart
COPY etc/restheart.yml etc/acl.yml etc/users.yml etc/
COPY etc/docker.properties etc/default.properties
COPY target/restheart.jar /opt/restheart/
COPY target/plugins/* /opt/restheart/plugins/
ENTRYPOINT [ "java", "-Dfile.encoding=UTF-8", "-server", "-jar", "restheart.jar", "etc/restheart.yml"]
CMD ["--envFile", "etc/default.properties"]
EXPOSE 8009 8080 4443
Which means:
$ docker run --rm-p8080:8080 -e MONGO_URI="<...>" --entrypoint "java -Dfile.encoding=UTF-8 -server -Djavax.net.ssl.trustStore=rhTrustStore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.security.auth.useSubjectCredsOnly=false -jar restheart.jar etc/restheart.yml -e etc/default.properties" -v "/host/path/to/rhTrustStore:/opt/restheart/rhTrustStore" softinstigate/restheart
Also adding a -v to mount the file where the keystone is (named "rhTrustStore" in this example).
As mentioned, I have not tried this by myself yet.
closing, feel free to reopen for additional help