Merge pull request #61 from theohbrothers/enhancement/add-easyrsa-3.2…

….0-variants

Enhancement: Add easyrsa 3.2.0 variants

.github/workflows/ci-master-pr.yml

@@ -33,6 +33,126 @@ jobs:
       run: |
         git diff --exit-code
 
+  build-3-2-0:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Display system info (linux)
+      run: |
+        set -e
+        hostname
+        whoami
+        cat /etc/*release
+        lscpu
+        free
+        df -h
+        pwd
+        docker info
+        docker version
+
+    # See: https://github.com/docker/build-push-action/blob/v2.6.1/docs/advanced/cache.md#github-cache
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Cache Docker layers
+      uses: actions/cache@v4
+      with:
+        path: /tmp/.buildx-cache
+        key: ${{ runner.os }}-buildx-3.2.0-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-3.2.0-
+          ${{ runner.os }}-buildx-
+
+    - name: Login to Docker Hub registry
+      # Run on master and tags
+      if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_REGISTRY_USER }}
+        password: ${{ secrets.DOCKERHUB_REGISTRY_PASSWORD }}
+
+    # This step generates the docker tags
+    - name: Prepare
+      id: prep-3-2-0
+      run: |
+        set -e
+
+        # Get ref, i.e. <branch_name> from refs/heads/<branch_name>, or <tag-name> from refs/tags/<tag_name>. E.g. 'master' or 'v0.0.0'
+        REF=$( echo "${GITHUB_REF}" | rev | cut -d '/' -f 1 | rev )
+
+        # Get short commit hash E.g. 'abc0123'
+        SHA=$( echo "${GITHUB_SHA}" | cut -c1-7 )
+
+        # Generate docker image tags
+        # E.g. 'v0.0.0-<variant>' and 'v0.0.0-abc0123-<variant>'
+        # E.g. 'master-<variant>' and 'master-abc0123-<variant>'
+        VARIANT="3.2.0"
+        REF_VARIANT="${REF}-${VARIANT}"
+        REF_SHA_VARIANT="${REF}-${SHA}-${VARIANT}"
+
+        # Pass variables to next step
+        echo "VARIANT_BUILD_DIR=$VARIANT_BUILD_DIR" >> $GITHUB_OUTPUT
+        echo "VARIANT=$VARIANT" >> $GITHUB_OUTPUT
+        echo "REF_VARIANT=$REF_VARIANT" >> $GITHUB_OUTPUT
+        echo "REF_SHA_VARIANT=$REF_SHA_VARIANT" >> $GITHUB_OUTPUT
+
+    - name: 3.2.0 - Build (PRs)
+      # Run only on pull requests
+      if: github.event_name == 'pull_request'
+      uses: docker/build-push-action@v5
+      with:
+        context: variants/3.2.0
+        platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
+        push: false
+        tags: |
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }}
+        cache-from: type=local,src=/tmp/.buildx-cache
+        cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+    - name: 3.2.0 - Build and push (master)
+      # Run only on master
+      if: github.ref == 'refs/heads/master'
+      uses: docker/build-push-action@v5
+      with:
+        context: variants/3.2.0
+        platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
+        push: true
+        tags: |
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }}
+        cache-from: type=local,src=/tmp/.buildx-cache
+        cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+    - name: 3.2.0 - Build and push (release)
+      if: startsWith(github.ref, 'refs/tags/')
+      uses: docker/build-push-action@v5
+      with:
+        context: variants/3.2.0
+        platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
+        push: true
+        tags: |
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-3-2-0.outputs.REF_SHA_VARIANT }}
+          ${{ github.repository }}:latest
+        cache-from: type=local,src=/tmp/.buildx-cache
+        cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+    # Temp fix
+    # https://github.com/docker/build-push-action/issues/252
+    # https://github.com/moby/buildkit/issues/1896
+    - name: Move cache
+      run: |
+        rm -rf /tmp/.buildx-cache
+        mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
   build-3-1-7:
     runs-on: ubuntu-latest
     steps:
@@ -141,7 +261,6 @@ jobs:
           ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.VARIANT }}
           ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.REF_VARIANT }}
           ${{ github.repository }}:${{ steps.prep-3-1-7.outputs.REF_SHA_VARIANT }}
-          ${{ github.repository }}:latest
         cache-from: type=local,src=/tmp/.buildx-cache
         cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
@@ -2059,6 +2178,7 @@ jobs:
 
   update-draft-release:
     needs:
+      - build-3-2-0
       - build-3-1-7
       - build-3-1-6
       - build-3-1-5
@@ -2089,6 +2209,7 @@ jobs:
 
   publish-draft-release:
     needs:
+      - build-3-2-0
       - build-3-1-7
       - build-3-1-6
       - build-3-1-5
@@ -2121,6 +2242,7 @@ jobs:
 
   update-dockerhub-description:
     needs:
+      - build-3-2-0
       - build-3-1-7
       - build-3-1-6
       - build-3-1-5

README.md

@@ -12,7 +12,8 @@ The base image is `alpine`.
 
 | Tag | Dockerfile Build Context |
 |:-------:|:---------:|
-| `:3.1.7`, `:latest` | [View](variants/3.1.7) |
+| `:3.2.0`, `:latest` | [View](variants/3.2.0) |
+| `:3.1.7` | [View](variants/3.1.7) |
 | `:3.1.6` | [View](variants/3.1.6) |
 | `:3.1.5` | [View](variants/3.1.5) |
 | `:3.1.4` | [View](variants/3.1.4) |
@@ -38,14 +39,14 @@ In this image, the PKI will be stored in `/data/pki` (i.e. `EASYRSA_PKI=/data/pk
 
 ```sh
 # Generate /data/pki
-docker run --rm -it -v data:/data theohbrothers/docker-easyrsa:3.1.7 init-pki
+docker run --rm -it -v data:/data theohbrothers/docker-easyrsa:3.2.0 init-pki
 # Generate CA, server and client certs
-docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-ca nopass
-docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-server-full server-01 nopass
-docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 build-client-full client-01 nopass
+docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-ca nopass
+docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-server-full server-01 nopass
+docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 build-client-full client-01 nopass
 
 # Alternatively, a nice one liner to do everything
-docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.1.7 sh -c 'set -e; easyrsa init-pki; easyrsa build-ca nopass; easyrsa build-server-full server-01 nopass; easyrsa build-client-full client-01 nopass; find /data/pki'
+docker run --rm -it -e EASYRSA_BATCH=true -v data:/data theohbrothers/docker-easyrsa:3.2.0 sh -c 'set -e; easyrsa init-pki; easyrsa build-ca nopass; easyrsa build-server-full server-01 nopass; easyrsa build-client-full client-01 nopass; find /data/pki'
 ```
 
 According to [`easy-rsa` documentation](https://github.com/OpenVPN/easy-rsa/blob/v3.0.0/doc/EasyRSA-Advanced.md#configuration-reference), there are four ways to run `easy-rsa`, namely:

generate/definitions/versions.json

@@ -1,6 +1,7 @@
 {
   "easyrsa": {
     "versions": [
+      "3.2.0",
       "3.1.7",
       "3.1.6",
       "3.1.5",

variants/3.2.0/Dockerfile

@@ -0,0 +1,50 @@
+FROM alpine:3.17
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
+
+RUN apk add --no-cache ca-certificates
+
+# Install easyrsa dependencies
+RUN apk add --no-cache openssl
+
+WORKDIR /data
+ENV EASYRSA=/usr/share/easy-rsa
+ENV EASYRSA_PKI=/data/pki
+
+# Install easyrsa
+# See: https://github.com/OpenVPN/easy-rsa/tree/master/release-keys
+RUN set -eux; \
+    apk add --no-cache gnupg gpg-agent dirmngr; \
+    URL=https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz; \
+    FILE=$( basename $URL ); \
+    wget -q "$URL"; \
+    wget -q "$URL.sig"; \
+    gpg --keyserver keys.openpgp.org --recv-keys 6F4056821152F03B6B24F2FCF8489F839D7367F3; \
+    gpg --verify "$FILE.sig" "$FILE"; \
+    mkdir -p /usr/share/easy-rsa; \
+    tar -zxvf "$FILE" --strip-components=1 -C /usr/share/easy-rsa; \
+    ln -sf /usr/share/easy-rsa/easyrsa /usr/local/bin/easyrsa; \
+    \
+    easyrsa help; \
+    easyrsa init-pki; \
+    rm -rfv /data/pki; \
+    \
+    rm -fv "$FILE"; \
+    rm -fv "$FILE.sig"; \
+    apk del gnupg gpg-agent dirmngr; \
+    killall dirmngr; \
+    killall gpg-agent; \
+    # Fix error: rm: can't remove '/root/.gnupg/S.gpg-agent.extra': No such file or directory
+    while ls /root/.gnupg/S.* > /dev/null; do \
+        echo "Waiting for gpg sockets to be removed"; \
+        sleep 1; \
+    done; \
+    rm -rf /root/.gnupg;
+
+VOLUME /data
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

variants/3.2.0/docker-compose.yml

@@ -0,0 +1,40 @@
+version: '2.1'
+services:
+  easyrsa:
+    container_name: easyrsa
+    image: theohbrothers/docker-easyrsa:3.2.0
+
+    # Uncomment and configure these environment to your needs. The following are the default values, according to: https://github.com/OpenVPN/easy-rsa/blob/v3.0.8/doc/EasyRSA-Advanced.md#configuration-reference
+    # Using environment variables is preferred to using a vars file
+    # Double dollar signs '$$' is to escape a dollar sign in the docker-compose yaml parser, see: https://stackoverflow.com/a/40621373
+    # environment:
+      # - EASYRSA_SSL_CONF=/etc/ssl/openssl.cnf
+      # - EASYRSA=$${0%/*}
+      # - EASYRSA_OPENSSL=openssl
+      # - EASYRSA_SSL_CONF=$$EASYRSA/openssl-easyrsa.cnf
+      # - EASYRSA_PKI=$$PWD/pki
+      # - EASYRSA_DN=cn_only
+      # - EASYRSA_REQ_COUNTRY=US
+      # - EASYRSA_REQ_PROVINCE=California
+      # - EASYRSA_REQ_CITY=San Francisco
+      # - EASYRSA_REQ_ORG=Copyleft Certificate Co
+      # - [email protected]
+      # - EASYRSA_REQ_OU=My Organizational Unit
+      # - EASYRSA_KEY_SIZE=2048
+      # - EASYRSA_ALGO=rsa
+      # - EASYRSA_CURVE=secp384r1
+      # - EASYRSA_CA_EXPIRE=3650
+      # - EASYRSA_CERT_EXPIRE=180
+      # - EASYRSA_CERT_RENEW=30
+      # - EASYRSA_NS_SUPPORT=no
+      # - EASYRSA_NS_COMMENT=Easy-RSA Generated Certificate
+      # - EASYRSA_TEMP_FILE=$$EASYRSA_PKI/extensions.temp
+      # - EASYRSA_EXT_DIR=$$EASYRSA/x509-types
+      # - EASYRSA_REQ_CN=ChangeMe
+      # - EASYRSA_DIGEST=sha256
+      # - EASYRSA_BATCH=
+
+    # Uncomment this to mount your own openssl.cnf, vars file(s)
+    # volumes:
+      # - ./path/to/openssl.conf:/etc/ssl/openssl.cnf
+      # - ./path/to/vars:/etc/ssl/openssl.cnf

variants/3.2.0/docker-entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -eu
+
+if [ $# -gt 0 ]; then
+    # Get all subcommands. 'help' is also a subcommand
+    SUBCOMMANDS=$( easyrsa help | awk "/init-pki/,/^$/" | awk '{print $1}' | awk NF ; echo help )
+    if echo "$SUBCOMMANDS" | grep "^$1$" > /dev/null; then
+        exec "easyrsa" "$@"
+    fi
+else
+    exec "easyrsa" "$@"
+fi
+
+exec "$@"