Enhancement: Install easyrsa manually and change base image to `alp…

…ine:3.17` This avoids coupling the app with the distro, and also ensures the distro is not stale.
theohbrothers · Sep 14, 2023 · facef0a · facef0a
1 parent 9a6d93a
commit facef0a
Show file tree

Hide file tree

Showing 32 changed files with 1,049 additions and 566 deletions.
diff --git a/.github/workflows/ci-master-pr.yml b/.github/workflows/ci-master-pr.yml
diff --git a/README.md b/README.md
@@ -10,20 +10,17 @@ Dockerized [`easy-rsa`](https://github.com/OpenVPN/easy-rsa).
 
 | Tag | Dockerfile Build Context |
 |:-------:|:---------:|
-| `:v3.1.5-alpine-edge`, `:latest` | [View](variants/v3.1.5-alpine-edge) |
-| `:v3.1.2-alpine-3.18` | [View](variants/v3.1.2-alpine-3.18) |
+| `:v3.1.5-alpine-3.17`, `:latest` | [View](variants/v3.1.5-alpine-3.17) |
+| `:v3.1.2-alpine-3.17` | [View](variants/v3.1.2-alpine-3.17) |
 | `:v3.1.1-alpine-3.17` | [View](variants/v3.1.1-alpine-3.17) |
-| `:v3.0.8-alpine-3.13` | [View](variants/v3.0.8-alpine-3.13) |
-| `:v3.0.7-alpine-3.12` | [View](variants/v3.0.7-alpine-3.12) |
-| `:v3.0.6-alpine-3.11` | [View](variants/v3.0.6-alpine-3.11) |
-| `:v3.0.6-alpine-3.10` | [View](variants/v3.0.6-alpine-3.10) |
-| `:v3.0.5-alpine-3.9` | [View](variants/v3.0.5-alpine-3.9) |
-| `:v3.0.4-alpine-3.8` | [View](variants/v3.0.4-alpine-3.8) |
-| `:v3.0.3-alpine-3.7` | [View](variants/v3.0.3-alpine-3.7) |
-| `:v3.0.1-alpine-3.6` | [View](variants/v3.0.1-alpine-3.6) |
-| `:v3.0.1-alpine-3.5` | [View](variants/v3.0.1-alpine-3.5) |
-| `:v3.0.1-alpine-3.4` | [View](variants/v3.0.1-alpine-3.4) |
-| `:v3.0.1-alpine-3.3` | [View](variants/v3.0.1-alpine-3.3) |
+| `:v3.0.8-alpine-3.17` | [View](variants/v3.0.8-alpine-3.17) |
+| `:v3.0.7-alpine-3.17` | [View](variants/v3.0.7-alpine-3.17) |
+| `:v3.0.6-alpine-3.17` | [View](variants/v3.0.6-alpine-3.17) |
+| `:v3.0.6-alpine-3.17` | [View](variants/v3.0.6-alpine-3.17) |
+| `:v3.0.5-alpine-3.17` | [View](variants/v3.0.5-alpine-3.17) |
+| `:v3.0.4-alpine-3.17` | [View](variants/v3.0.4-alpine-3.17) |
+| `:v3.0.3-alpine-3.17` | [View](variants/v3.0.3-alpine-3.17) |
+| `:v3.0.1-alpine-3.17` | [View](variants/v3.0.1-alpine-3.17) |
 
 ## Usage
 

diff --git a/generate/definitions/VARIANTS.ps1 b/generate/definitions/VARIANTS.ps1
@@ -1,130 +1,28 @@
 # Docker image variants' definitions
+$local:VERSIONS = @(
+    '3.1.5'
+    '3.1.2'
+    '3.1.1'
+    '3.0.8'
+    '3.0.7'
+    '3.0.6'
+    '3.0.6'
+    '3.0.5'
+    '3.0.4'
+    '3.0.3'
+    '3.0.1'
+)
 $local:VARIANTS_MATRIX = @(
-    @{
-        package = 'easy-rsa'
-        package_version = '3.1.5-r0'
-        distro = 'alpine'
-        distro_version = 'edge'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.1.2-r0'
-        distro = 'alpine'
-        distro_version = '3.18'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.1.1-r0'
-        distro = 'alpine'
-        distro_version = '3.17'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.8-r0'
-        distro = 'alpine'
-        distro_version = '3.13'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.7-r0'
-        distro = 'alpine'
-        distro_version = '3.12'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.6-r0'
-        distro = 'alpine'
-        distro_version = '3.11'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.6-r0'
-        distro = 'alpine'
-        distro_version = '3.10'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.5-r0'
-        distro = 'alpine'
-        distro_version = '3.9'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.4-r0'
-        distro = 'alpine'
-        distro_version = '3.8'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.3-r0'
-        distro = 'alpine'
-        distro_version = '3.7'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.1-r0'
-        distro = 'alpine'
-        distro_version = '3.6'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.1-r0'
-        distro = 'alpine'
-        distro_version = '3.5'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.1-r0'
-        distro = 'alpine'
-        distro_version = '3.4'
-        subvariants = @(
-            @{ components = @() }
-        )
-    }
-    @{
-        package = 'easy-rsa'
-        package_version = '3.0.1-r0'
-        distro = 'alpine'
-        distro_version = '3.3'
-        subvariants = @(
-            @{ components = @() }
-        )
+    foreach ($v in $local:VERSIONS) {
+        @{
+            package = 'easy-rsa'
+            package_version = $v
+            distro = 'alpine'
+            distro_version = '3.17'
+            subvariants = @(
+                @{ components = @() }
+            )
+        }
     }
 )
 
@@ -136,7 +34,6 @@ $VARIANTS = @(
                 _metadata = @{
                     package = $variant['package']
                     package_version = $variant['package_version']
-                    package_version_semver = "v$( $variant['package_version'] )" -replace '-r\d+', ''   # E.g. Strip out the '-r' in '2.3.0.0-r1'
                     distro = $variant['distro']
                     distro_version = $variant['distro_version']
                     platforms = & {

diff --git a/generate/templates/Dockerfile.ps1 b/generate/templates/Dockerfile.ps1
@@ -1,16 +1,33 @@
 @"
 FROM $( $VARIANT['_metadata']['distro'] ):$( $VARIANT['_metadata']['distro_version'] )
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on `$BUILDPLATFORM, building for `$TARGETPLATFORM"
 
-RUN apk add --no-cache $( $VARIANT['_metadata']['package'] )=$( $VARIANT['_metadata']['package_version'] ) iptables
+RUN apk add --no-cache ca-certificates
 
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
+# Install easyrsa dependencies
+RUN apk add --no-cache iptables openssl
 
-# alpine easyrsa top-level directory. Use command find / -name 'easyrsa'
-RUN echo "Looking for easyrsa binary" \
-    && ls '/usr/share/easy-rsa/easyrsa'
-ENV EASYRSA=/usr/share/easy-rsa
+# Install easyrsa
+# See: https://github.com/OpenVPN/easy-rsa/tree/master/release-keys
+RUN set -eux; \
+    apk add --no-cache gnupg gpg-agent dirmngr; \
+    URL=https://github.com/OpenVPN/easy-rsa/releases/download/v$( $VARIANT['_metadata']['package_version'] )/EasyRSA-$( $VARIANT['_metadata']['package_version'] ).tgz; \
+    FILE=`$( basename `$URL ); \
+    wget -q "`$URL"; \
+    wget -q "`$URL.sig"; \
+    gpg --keyserver keys.openpgp.org --recv-keys 6F4056821152F03B6B24F2FCF8489F839D7367F3; \
+    gpg --verify "`$FILE.sig" "`$FILE"; \
+    mkdir -p /usr/share/easy-rsa; \
+    tar -zxvf "`$FILE" --strip-components=1 -C /usr/share/easy-rsa; \
+    /usr/share/easy-rsa/easyrsa help; \
+    rm -fv "`$FILE"; \
+    rm -fv "`$FILE.sig"; \
+    rm -rf /root/.gnupg; \
+    apk del gnupg gpg-agent dirmngr;
 
+ENV EASYRSA=/usr/share/easy-rsa
 WORKDIR /usr/share/easy-rsa
 
 # alpine openssl.cnf location. Use command find / -name 'openssl*.cnf'
@@ -19,6 +36,9 @@ WORKDIR /usr/share/easy-rsa
 RUN echo "Looking for openssl.cnf" \
     && find /etc /usr -name 'openssl*.cnf'
 
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 "@
diff --git a/variants/v3.0.1-alpine-3.17/Dockerfile b/variants/v3.0.1-alpine-3.17/Dockerfile
@@ -0,0 +1,41 @@
+FROM alpine:3.17
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
+
+RUN apk add --no-cache ca-certificates
+
+# Install easyrsa dependencies
+RUN apk add --no-cache iptables openssl
+
+# Install easyrsa
+# See: https://github.com/OpenVPN/easy-rsa/tree/master/release-keys
+RUN set -eux; \
+    apk add --no-cache gnupg gpg-agent dirmngr; \
+    URL=https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.1/EasyRSA-3.0.1.tgz; \
+    FILE=$( basename $URL ); \
+    wget -q "$URL"; \
+    wget -q "$URL.sig"; \
+    gpg --keyserver keys.openpgp.org --recv-keys 6F4056821152F03B6B24F2FCF8489F839D7367F3; \
+    gpg --verify "$FILE.sig" "$FILE"; \
+    mkdir -p /usr/share/easy-rsa; \
+    tar -zxvf "$FILE" --strip-components=1 -C /usr/share/easy-rsa; \
+    /usr/share/easy-rsa/easyrsa help; \
+    rm -fv "$FILE"; \
+    rm -fv "$FILE.sig"; \
+    rm -rf /root/.gnupg; \
+    apk del gnupg gpg-agent dirmngr;
+
+ENV EASYRSA=/usr/share/easy-rsa
+WORKDIR /usr/share/easy-rsa
+
+# alpine openssl.cnf location. Use command find / -name 'openssl*.cnf'
+# <  v3.0.4: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0/easyrsa3/easyrsa#L1032-L1033
+# >= v3.0.4:
+RUN echo "Looking for openssl.cnf" \
+    && find /etc /usr -name 'openssl*.cnf'
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/variants/v3.0.1-alpine-3.17/docker-compose.yml b/variants/v3.0.1-alpine-3.17/docker-compose.yml
@@ -0,0 +1,40 @@
+version: '2.1'
+services:
+  easyrsa:
+    container_name: easyrsa
+    image: theohbrothers/docker-easyrsa:v3.0.1-alpine-3.17
+
+    # Uncomment and configure these environment to your needs. The following are the default values, according to: https://github.com/OpenVPN/easy-rsa/blob/v3.0.8/doc/EasyRSA-Advanced.md#configuration-reference
+    # Using environment variables is preferred to using a vars file
+    # Double dollar signs '$$' is to escape a dollar sign in the docker-compose yaml parser, see: https://stackoverflow.com/a/40621373
+    # environment:
+      # - EASYRSA_SSL_CONF=/etc/ssl/openssl.cnf
+      # - EASYRSA=$${0%/*}
+      # - EASYRSA_OPENSSL=openssl
+      # - EASYRSA_SSL_CONF=$$EASYRSA/openssl-easyrsa.cnf
+      # - EASYRSA_PKI=$$PWD/pki
+      # - EASYRSA_DN=cn_only
+      # - EASYRSA_REQ_COUNTRY=US
+      # - EASYRSA_REQ_PROVINCE=California
+      # - EASYRSA_REQ_CITY=San Francisco
+      # - EASYRSA_REQ_ORG=Copyleft Certificate Co
+      # - EASYRSA_REQ_EMAIL=me@example.net
+      # - EASYRSA_REQ_OU=My Organizational Unit
+      # - EASYRSA_KEY_SIZE=2048
+      # - EASYRSA_ALGO=rsa
+      # - EASYRSA_CURVE=secp384r1
+      # - EASYRSA_CA_EXPIRE=3650
+      # - EASYRSA_CERT_EXPIRE=180
+      # - EASYRSA_CERT_RENEW=30
+      # - EASYRSA_NS_SUPPORT=no
+      # - EASYRSA_NS_COMMENT=Easy-RSA Generated Certificate
+      # - EASYRSA_TEMP_FILE=$$EASYRSA_PKI/extensions.temp
+      # - EASYRSA_EXT_DIR=$$EASYRSA/x509-types
+      # - EASYRSA_REQ_CN=ChangeMe
+      # - EASYRSA_DIGEST=sha256
+      # - EASYRSA_BATCH=
+
+    # Uncomment this to mount your own openssl.cnf, vars file(s)
+    # volumes:
+      # - ./path/to/openssl.conf:/etc/ssl/openssl.cnf
+      # - ./path/to/vars:/etc/ssl/openssl.cnf
diff --git a/variants/v3.0.1-alpine-3.17/docker-entrypoint.sh b/variants/v3.0.1-alpine-3.17/docker-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -eu
+
+if [ $# -gt 0 ]; then
+    # Get all subcommands. 'help' is also a subcommand
+    SUBCOMMANDS=$( ./easyrsa | awk "/^'help'/,/^DIRECTORY/" | grep -vE "^'help'|^DIRECTORY|^\s*$" | awk '{print $1}'; echo help )
+    if echo "$SUBCOMMANDS" | grep "^$1$"; then
+        # Generate the command line. easy-rsa man: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0/README.quickstart.md
+        echo "Generating command line"
+        set "$EASYRSA/easyrsa" "$@"
+
+        # Exec
+        echo "easyrsa command line: $@"
+        exec "$@"
+    fi
+else
+    exec "$EASYRSA/easyrsa" "$@"
+fi
+
+exec "$@"
diff --git a/variants/v3.0.3-alpine-3.17/Dockerfile b/variants/v3.0.3-alpine-3.17/Dockerfile
@@ -0,0 +1,41 @@
+FROM alpine:3.17
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
+
+RUN apk add --no-cache ca-certificates
+
+# Install easyrsa dependencies
+RUN apk add --no-cache iptables openssl
+
+# Install easyrsa
+# See: https://github.com/OpenVPN/easy-rsa/tree/master/release-keys
+RUN set -eux; \
+    apk add --no-cache gnupg gpg-agent dirmngr; \
+    URL=https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz; \
+    FILE=$( basename $URL ); \
+    wget -q "$URL"; \
+    wget -q "$URL.sig"; \
+    gpg --keyserver keys.openpgp.org --recv-keys 6F4056821152F03B6B24F2FCF8489F839D7367F3; \
+    gpg --verify "$FILE.sig" "$FILE"; \
+    mkdir -p /usr/share/easy-rsa; \
+    tar -zxvf "$FILE" --strip-components=1 -C /usr/share/easy-rsa; \
+    /usr/share/easy-rsa/easyrsa help; \
+    rm -fv "$FILE"; \
+    rm -fv "$FILE.sig"; \
+    rm -rf /root/.gnupg; \
+    apk del gnupg gpg-agent dirmngr;
+
+ENV EASYRSA=/usr/share/easy-rsa
+WORKDIR /usr/share/easy-rsa
+
+# alpine openssl.cnf location. Use command find / -name 'openssl*.cnf'
+# <  v3.0.4: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0/easyrsa3/easyrsa#L1032-L1033
+# >= v3.0.4:
+RUN echo "Looking for openssl.cnf" \
+    && find /etc /usr -name 'openssl*.cnf'
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]