This project consists a set of Dockerfiles aimed to override the /etc/ssl directory in other Docker images. The purpose here is to provide a way to inject custom CA certificates into other images, without the need to rebuild them.
Here's a docker compose example for extending miniflux:
services:
miniflux-certs-init:
build:
context: https://github.com/miklosbagi/ca-init-container.git#main
# pick the correct Dockerfile for your main image (i.e. miniflux runs in alpine, so we use the alpine Dockerfile)
dockerfile: Dockerfile.cert-inject-alpine
volumes:
# map location where the _ca.crt files are at (i.e. root_ca.crt, intermediate_ca.pem, etc)
- ../_common/certs:/certs:ro
# map the output directory, this is where the ca-init-container generates all the ssl certs, and makes your target container simply suck it up as-is.
- ./config/ssl:/output-certs
miniflux:
image: miniflux/miniflux
environment:
...
volumes:
# map the output directory, i.e. the whole ssl folder
- ./config/ssl:/etc/ssl:ro
depends_on:
db:
condition: service_healthy
miniflux-certs-init:
condition: service_completed_successfully
db:
...The easiest way is to look into the target container's ssl directory and see if there's a generated-by-sidecar file exists there. For example:
❯ docker exec -it miniflux-miniflux-1 ls -la /etc/ssl generated-by-cainit*
-rw-r--r-- 1 root root 0 Nov 27 16:28 generated-by-cainit-20241127-162837
As such, the operation was successful, and the target container is now using the certificates generated by the init container.
- If the target container is not using the certificates generated by the init container, check the logs of the init container. It should contain information about what it did.
Ideally one would use the same base image that is going to be "enhanced". For example, miniflux is based on alpine, so the correct Dockerfile to use would be Dockerfile.cert-inject-alpine.
| For Distro | Dockerfile |
|---|---|
| Ubuntu | Dockerfile.cert-inject-debian |
| Debian | Dockerfile.cert-inject-debian |
| Alpine | Dockerfile.cert-inject-alpine |
- In case your base image has a modified ca-certificates.crt, ca-init-container will likely break it (i.e. it will replace it with the one from the certs folder).
- The certs folder should contain the CA certificates in PEM format, with the .crt extension. The files should be named after the CA they represent (i.e. root_ca.crt, intermediate_ca.pem, etc).