fix: dockerfiles and add generate certs script

2026-04-04 02:39:46 +03:00
parent 6740dbb1b7
commit b99f60c7e5
3 changed files with 101 additions and 3 deletions
@@ -11,7 +11,7 @@ COPY . .
 ENV CGO_ENABLED=0
 RUN --mount=type=cache,target=/go/pkg/mod \
  --mount=type=cache,target=/root/.cache/go-build \
-  go build -ldflags "-s -w" -o agent ./cmd/main.go
+  go build -ldflags "-s -w" -o agent ./main.go
 FROM debian:bookworm-slim
@@ -15,8 +15,8 @@ FROM alpine:3.23.0
 RUN apk add --no-cache curl openssl bash
 COPY --from=builder /app/backend .
-COPY --from=builder /app/scripts /etc/mnemosyne/scripts
+#COPY --from=builder /app/scripts /etc/mnemosyne/scripts
-RUN chmod +x /etc/mnemosyne/scripts/generate-certs.sh
+#RUN chmod +x /etc/mnemosyne/scripts/generate-certs.sh
 EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "curl --fail http://localhost:8080/health" ]
@@ -0,0 +1,98 @@
 #!/bin/bash
 # Скрипт генерации SSL сертификатов для mTLS gRPC
 set -e
 CERT_DIR="${1:-/etc/mnemosyne/ssl}"
 DAYS_VALID=365
 echo "Generating CA and server certificates in ${CERT_DIR}..."
 # Создаём директорию
 mkdir -p "${CERT_DIR}"
 # Если сертификаты уже есть и не пустые - не перегенерируем
 if [ -s "${CERT_DIR}/ca.crt" ] && [ -s "${CERT_DIR}/server.crt" ] && [ -s "${CERT_DIR}/server.key" ]; then
    echo "Certificates already exist, skipping generation."
    exit 0
 fi
 # Если файлы существуют но пустые - удаляем их для перегенерации
 rm -f "${CERT_DIR}/ca.crt" "${CERT_DIR}/ca.key" "${CERT_DIR}/server.crt" "${CERT_DIR}/server.key" "${CERT_DIR}/server.csr"
 # Генерация CA
 echo "Generating CA..."
 openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/ca.key"
 openssl req -x509 -new -nodes -sha256 -days ${DAYS_VALID} \
    -key "${CERT_DIR}/ca.key" \
    -out "${CERT_DIR}/ca.crt" \
    -subj "/CN=Mnemosyne Root CA"
 # Генерация серверного сертификата
 echo "Generating server certificate..."
 openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/server.key"
 openssl req -new -sha256 \
    -key "${CERT_DIR}/server.key" \
    -out "${CERT_DIR}/server.csr" \
    -subj "/CN=${SERVER_CN:-localhost}"
 # Создаём конфиг для server SAN
 # Поддержка переменных окружения:
 #   SERVER_SAN_DNS - список DNS имен через запятую (например: localhost,backend,myserver.example.com)
 #   SERVER_SAN_IP - список IP адресов через запятую (например: 127.0.0.1,192.168.1.100)
 cat > "${CERT_DIR}/server.ext" <<EOF
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 EOF
 # Добавляем DNS SAN
 dns_idx=1
 IFS=',' read -ra DNS_NAMES <<< "${SERVER_SAN_DNS:-localhost,backend}"
 for dns_name in "${DNS_NAMES[@]}"; do
    dns_name=$(echo "$dns_name" | xargs)  # trim whitespace
    if [ -n "$dns_name" ]; then
        echo "DNS.${dns_idx} = ${dns_name}" >> "${CERT_DIR}/server.ext"
        ((dns_idx++))
    fi
 done
 # Добавляем wildcard для localhost если есть
 echo "DNS.${dns_idx} = *.localhost" >> "${CERT_DIR}/server.ext"
 ((dns_idx++))
 # Добавляем IP SAN
 ip_idx=1
 IFS=',' read -ra IP_ADDRS <<< "${SERVER_SAN_IP:-127.0.0.1}"
 for ip_addr in "${IP_ADDRS[@]}"; do
    ip_addr=$(echo "$ip_addr" | xargs)  # trim whitespace
    if [ -n "$ip_addr" ]; then
        echo "IP.${ip_idx} = ${ip_addr}" >> "${CERT_DIR}/server.ext"
        ((ip_idx++))
    fi
 done
 openssl x509 -req -sha256 -days ${DAYS_VALID} \
    -in "${CERT_DIR}/server.csr" \
    -CA "${CERT_DIR}/ca.crt" \
    -CAkey "${CERT_DIR}/ca.key" \
    -CAcreateserial \
    -out "${CERT_DIR}/server.crt" \
    -extfile "${CERT_DIR}/server.ext"
 # Очистка лишних файлов
 rm -f "${CERT_DIR}/server.ext"
 # Установка прав
 chmod 600 "${CERT_DIR}"/*.key
 chmod 644 "${CERT_DIR}"/*.crt
 echo "Certificates generated successfully!"
 echo "  CA:     ${CERT_DIR}/ca.crt"
 echo "  Server: ${CERT_DIR}/server.crt + ${CERT_DIR}/server.key"
 echo "  SAN DNS: ${SERVER_SAN_DNS:-localhost,backend}"
 echo "  SAN IP:  ${SERVER_SAN_IP:-127.0.0.1}"