I'm fairly new to Docker and while there is a ton of information out there, I'm not sure I understand enough to decipher the correct solution to what I'm asking here. Basically, I have a java app/jar file that I want to run inside of a docker container. Based on some examples on the internet, I've created a Dockerfile that looks like:
FROM openjdk:8-jdk-alpine
ADD target/custom-app-1.0.0-SNAPSHOT.jar custom-app.jar
ENTRYPOINT ["java", "-Xmx4096", "-Xms1024m", "-Djavax.net.ssl.trustStore=/etc/pki/java/trustKS.jks","-Djavax.net.ssl.trustStorePassword=$(cat /home/username/scripts/jks-password)", "-Djavax.net.ssl.trustStoreType=jks", "-Djavax.net.ssl.keyStore=/etc/pki/java/server_keystore.p12", "-Djavax.net.ssl.keyStorePassword=$(cat /home/username/scripts/server-password)", "-Djavax.net.ssl.keyStoreType=PKCS12", "-Dhttps.protocols=TLSv1.2", "-jar", "/custom-app.jar"]
In some of the params I pass into the ENTRYPOINT command, I say where my keystore and trust store files are located, as well as the corresponding files that hold their respective passwords/passphrases.
What is the best way in docker to have the user who uses this image to pass in their own certificates with their own passwords?
For a container run locally on a single node, especially a developer environment, you typically mount a volume from the host with these credentials. E.g.
docker run -v /host/path/creds.pem:/container/path/creds.pem:ro your_image
If you can get to swarm mode, docker injects secrets as a read only in memory file that is only stored encrypted on the managers, and in memory on the workers that need the secret. This can be as easy as:
docker secret create creds /host/path/creds.pem
And then run the container as a service:
docker service create --secret creds your_image
More details on secrets are available at: https://docs.docker.com/engine/swarm/secrets/
For reproducibility, I typically do this in a compose file. You can find the syntax here: https://docs.docker.com/compose/compose-file/