From a110d92c3df7338d3402fb2527e406fbe8fdb548 Mon Sep 17 00:00:00 2001 From: The Oh Brothers Bot Date: Sun, 19 May 2024 00:43:35 +0000 Subject: [PATCH] Enhancement: Add easyrsa 3.2.0 variants Signed-off-by: The Oh Brothers Bot --- .github/workflows/ci-master-pr.yml | 124 +++++++++++++++++++++++++++- README.md | 13 +-- generate/definitions/versions.json | 1 + variants/3.2.0/Dockerfile | 50 +++++++++++ variants/3.2.0/docker-compose.yml | 40 +++++++++ variants/3.2.0/docker-entrypoint.sh | 14 ++++ 6 files changed, 235 insertions(+), 7 deletions(-) create mode 100644 variants/3.2.0/Dockerfile create mode 100644 variants/3.2.0/docker-compose.yml create mode 100644 variants/3.2.0/docker-entrypoint.sh diff --git a/.github/workflows/ci-master-pr.yml b/.github/workflows/ci-master-pr.yml index 82109b9..d35d51e 100644 --- a/.github/workflows/ci-master-pr.yml +++ b/.github/workflows/ci-master-pr.yml @@ -33,6 +33,126 @@ jobs: run: | git diff --exit-code + build-3-2-0: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Display system info (linux) + run: | + set -e + hostname + whoami + cat /etc/*release + lscpu + free + df -h + pwd + docker info + docker version + + # See: https://github.com/docker/build-push-action/blob/v2.6.1/docs/advanced/cache.md#github-cache + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-3.2.0-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx-3.2.0- + ${{ runner.os }}-buildx- + + - name: Login to Docker Hub registry + # Run on master and tags + if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_REGISTRY_USER }} + password: ${{ secrets.DOCKERHUB_REGISTRY_PASSWORD }} + + # This step generates the docker tags + - name: Prepare + id: prep-3-2-0 + run: | + set -e + + # Get ref, i.e. from refs/heads/, or from refs/tags/. E.g. 'master' or 'v0.0.0' + REF=$( echo "${GITHUB_REF}" | rev | cut -d '/' -f 1 | rev ) + + # Get short commit hash E.g. 'abc0123' + SHA=$( echo "${GITHUB_SHA}" | cut -c1-7 ) + + # Generate docker image tags + # E.g. 'v0.0.0-' and 'v0.0.0-abc0123-' + # E.g. 'master-' and 'master-abc0123-' + VARIANT="3.2.0" + REF_VARIANT="${REF}-${VARIANT}" + REF_SHA_VARIANT="${REF}-${SHA}-${VARIANT}" + + # Pass variables to next step + echo "VARIANT_BUILD_DIR=$VARIANT_BUILD_DIR" >> $GITHUB_OUTPUT + echo "VARIANT=$VARIANT" >> $GITHUB_OUTPUT + echo "REF_VARIANT=$REF_VARIANT" >> $GITHUB_OUTPUT + echo "REF_SHA_VARIANT=$REF_SHA_VARIANT" >> $GITHUB_OUTPUT + + - name: 3.2.0 - Build (PRs) + # Run only on pull requests + if: github.event_name == 'pull_request' + uses: docker/build-push-action@v5 + with: + context: variants/3.2.0 + platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x + push: false + tags: | + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }} + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + + - name: 3.2.0 - Build and push (master) + # Run only on master + if: github.ref == 'refs/heads/master' + uses: docker/build-push-action@v5 + with: + context: variants/3.2.0 + platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x + push: true + tags: | + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }} + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + + - name: 3.2.0 - Build and push (release) + if: startsWith(github.ref, 'refs/tags/') + uses: docker/build-push-action@v5 + with: + context: variants/3.2.0 + platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x + push: true + tags: | + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.VARIANT }} + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }} + ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }} + ${{ github.repository }}:latest + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + build-3-1-7: runs-on: ubuntu-latest steps: @@ -141,7 +261,6 @@ jobs: ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.VARIANT }} ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.REF_VARIANT }} ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.REF_SHA_VARIANT }} - ${{ github.repository }}:latest cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max @@ -2059,6 +2178,7 @@ jobs: update-draft-release: needs: + - build-3-2-0 - build-3-1-7 - build-3-1-6 - build-3-1-5 @@ -2089,6 +2209,7 @@ jobs: publish-draft-release: needs: + - build-3-2-0 - build-3-1-7 - build-3-1-6 - build-3-1-5 @@ -2121,6 +2242,7 @@ jobs: update-dockerhub-description: needs: + - build-3-2-0 - build-3-1-7 - build-3-1-6 - build-3-1-5 diff --git a/README.md b/README.md index 008681c..0f86a81 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ The base image is `alpine`. | Tag | Dockerfile Build Context | |:-------:|:---------:| -| `:3.1.7`, `:latest` | [View](variants/3.1.7) | +| `:3.2.0`, `:latest` | [View](variants/3.2.0) | +| `:3.1.7` | [View](variants/3.1.7) | | `:3.1.6` | [View](variants/3.1.6) | | `:3.1.5` | [View](variants/3.1.5) | | `:3.1.4` | [View](variants/3.1.4) | @@ -38,14 +39,14 @@ In this image, the PKI will be stored in `/data/pki` (i.e. `EASYRSA_PKI=/data/pk ```sh # Generate /data/pki -docker run --rm -it -v data:/data theohbrothers/docker-easyrsa:3.1.7 init-pki +docker run --rm -it -v data:/data theohbrothers/docker-easyrsa:3.2.0 init-pki # Generate CA, server and client certs -docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-ca nopass -docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-server-full server-01 nopass -docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-client-full client-01 nopass +docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-ca nopass +docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-server-full server-01 nopass +docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-client-full client-01 nopass # Alternatively, a nice one liner to do everything -docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 sh -c 'set -e; easyrsa init-pki; easyrsa build-ca nopass; easyrsa build-server-full server-01 nopass; easyrsa build-client-full client-01 nopass; find /data/pki' +docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 sh -c 'set -e; easyrsa init-pki; easyrsa build-ca nopass; easyrsa build-server-full server-01 nopass; easyrsa build-client-full client-01 nopass; find /data/pki' ``` According to [`easy-rsa` documentation](https://github.com/OpenVPN/easy-rsa/blob/v3.0.0/doc/EasyRSA-Advanced.md#configuration-reference), there are four ways to run `easy-rsa`, namely: diff --git a/generate/definitions/versions.json b/generate/definitions/versions.json index 69e7436..160623f 100644 --- a/generate/definitions/versions.json +++ b/generate/definitions/versions.json @@ -1,6 +1,7 @@ { "easyrsa": { "versions": [ + "3.2.0", "3.1.7", "3.1.6", "3.1.5", diff --git a/variants/3.2.0/Dockerfile b/variants/3.2.0/Dockerfile new file mode 100644 index 0000000..ea9f18f --- /dev/null +++ b/variants/3.2.0/Dockerfile @@ -0,0 +1,50 @@ +FROM alpine:3.17 +ARG TARGETPLATFORM +ARG BUILDPLATFORM +RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" + +RUN apk add --no-cache ca-certificates + +# Install easyrsa dependencies +RUN apk add --no-cache openssl + +WORKDIR /data +ENV EASYRSA=/usr/share/easy-rsa +ENV EASYRSA_PKI=/data/pki + +# Install easyrsa +# See: https://github.com/OpenVPN/easy-rsa/tree/master/release-keys +RUN set -eux; \ + apk add --no-cache gnupg gpg-agent dirmngr; \ + URL=https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz; \ + FILE=$( basename $URL ); \ + wget -q "$URL"; \ + wget -q "$URL.sig"; \ + gpg --keyserver keys.openpgp.org --recv-keys 6F4056821152F03B6B24F2FCF8489F839D7367F3; \ + gpg --verify "$FILE.sig" "$FILE"; \ + mkdir -p /usr/share/easy-rsa; \ + tar -zxvf "$FILE" --strip-components=1 -C /usr/share/easy-rsa; \ + ln -sf /usr/share/easy-rsa/easyrsa /usr/local/bin/easyrsa; \ + \ + easyrsa help; \ + easyrsa init-pki; \ + rm -rfv /data/pki; \ + \ + rm -fv "$FILE"; \ + rm -fv "$FILE.sig"; \ + apk del gnupg gpg-agent dirmngr; \ + killall dirmngr; \ + killall gpg-agent; \ + # Fix error: rm: can't remove '/root/.gnupg/S.gpg-agent.extra': No such file or directory + while ls /root/.gnupg/S.* > /dev/null; do \ + echo "Waiting for gpg sockets to be removed"; \ + sleep 1; \ + done; \ + rm -rf /root/.gnupg; + +VOLUME /data + +COPY docker-entrypoint.sh /docker-entrypoint.sh +RUN chmod +x /docker-entrypoint.sh + +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/variants/3.2.0/docker-compose.yml b/variants/3.2.0/docker-compose.yml new file mode 100644 index 0000000..0a1bab2 --- /dev/null +++ b/variants/3.2.0/docker-compose.yml @@ -0,0 +1,40 @@ +version: '2.1' +services: + easyrsa: + container_name: easyrsa + image: theohbrothers/docker-easyrsa:3.2.0 + + # Uncomment and configure these environment to your needs. The following are the default values, according to: https://github.com/OpenVPN/easy-rsa/blob/v3.0.8/doc/EasyRSA-Advanced.md#configuration-reference + # Using environment variables is preferred to using a vars file + # Double dollar signs '$$' is to escape a dollar sign in the docker-compose yaml parser, see: https://stackoverflow.com/a/40621373 + # environment: + # - EASYRSA_SSL_CONF=/etc/ssl/openssl.cnf + # - EASYRSA=$${0%/*} + # - EASYRSA_OPENSSL=openssl + # - EASYRSA_SSL_CONF=$$EASYRSA/openssl-easyrsa.cnf + # - EASYRSA_PKI=$$PWD/pki + # - EASYRSA_DN=cn_only + # - EASYRSA_REQ_COUNTRY=US + # - EASYRSA_REQ_PROVINCE=California + # - EASYRSA_REQ_CITY=San Francisco + # - EASYRSA_REQ_ORG=Copyleft Certificate Co + # - EASYRSA_REQ_EMAIL=me@example.net + # - EASYRSA_REQ_OU=My Organizational Unit + # - EASYRSA_KEY_SIZE=2048 + # - EASYRSA_ALGO=rsa + # - EASYRSA_CURVE=secp384r1 + # - EASYRSA_CA_EXPIRE=3650 + # - EASYRSA_CERT_EXPIRE=180 + # - EASYRSA_CERT_RENEW=30 + # - EASYRSA_NS_SUPPORT=no + # - EASYRSA_NS_COMMENT=Easy-RSA Generated Certificate + # - EASYRSA_TEMP_FILE=$$EASYRSA_PKI/extensions.temp + # - EASYRSA_EXT_DIR=$$EASYRSA/x509-types + # - EASYRSA_REQ_CN=ChangeMe + # - EASYRSA_DIGEST=sha256 + # - EASYRSA_BATCH= + + # Uncomment this to mount your own openssl.cnf, vars file(s) + # volumes: + # - ./path/to/openssl.conf:/etc/ssl/openssl.cnf + # - ./path/to/vars:/etc/ssl/openssl.cnf \ No newline at end of file diff --git a/variants/3.2.0/docker-entrypoint.sh b/variants/3.2.0/docker-entrypoint.sh new file mode 100644 index 0000000..35cada9 --- /dev/null +++ b/variants/3.2.0/docker-entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -eu + +if [ $# -gt 0 ]; then + # Get all subcommands. 'help' is also a subcommand + SUBCOMMANDS=$( easyrsa help | awk "/init-pki/,/^$/" | awk '{print $1}' | awk NF ; echo help ) + if echo "$SUBCOMMANDS" | grep "^$1$" > /dev/null; then + exec "easyrsa" "$@" + fi +else + exec "easyrsa" "$@" +fi + +exec "$@"