From 6583eba3ff588fdad83ad636a1b1ad759b51ce34 Mon Sep 17 00:00:00 2001
From: Andreas Motl <andreas.motl@crate.io>
Date: Sun, 16 Feb 2025 12:07:59 +0100
Subject: [PATCH] Docker/Podman: Add basic runnable Docker Compose example for
 CrateDB+SSL

---
 operation/docker/ssl/README.md   |  25 +++++++++++++++++++++++++
 operation/docker/ssl/compose.yml |  28 ++++++++++++++++++++++++++++
 operation/docker/ssl/crate.yml   |  24 ++++++++++++++++++++++++
 operation/docker/ssl/keystore    | Bin 0 -> 4261 bytes
 operation/docker/ssl/truststore  | Bin 0 -> 1049 bytes
 5 files changed, 77 insertions(+)
 create mode 100644 operation/docker/ssl/README.md
 create mode 100644 operation/docker/ssl/compose.yml
 create mode 100644 operation/docker/ssl/crate.yml
 create mode 100644 operation/docker/ssl/keystore
 create mode 100644 operation/docker/ssl/truststore

diff --git a/operation/docker/ssl/README.md b/operation/docker/ssl/README.md
new file mode 100644
index 00000000..517a9acd
--- /dev/null
+++ b/operation/docker/ssl/README.md
@@ -0,0 +1,25 @@
+# CrateDB with SSL on Docker
+
+## About
+
+A service composition file (Docker or Podman) for running CrateDB
+with SSL enabled.
+
+## Usage
+```shell
+docker compose up
+```
+
+## Rationale
+
+Void of relevant ready-to-run examples.
+
+- https://cratedb.com/docs/guide/install/container/
+- https://cratedb.com/docs/guide/install/container/docker.html
+- https://cratedb.com/docs/crate/reference/en/latest/admin/ssl.html
+
+## Blueprint
+
+`crate-pdo` includes an example setup using Docker Compose.
+
+- https://github.com/crate/crate-pdo/tree/2.2.2/test/provisioning
diff --git a/operation/docker/ssl/compose.yml b/operation/docker/ssl/compose.yml
new file mode 100644
index 00000000..b7673b71
--- /dev/null
+++ b/operation/docker/ssl/compose.yml
@@ -0,0 +1,28 @@
+# Purpose:
+# Start CrateDB with custom parameters and wait for the service being available,
+# even when invoked through `docker compose up --detach`.
+
+services:
+
+  cratedb:
+    image: crate/crate:nightly
+    command: ["crate", "-Cstats.enabled=true"]
+    ports:
+      - 4200:4200
+    volumes:
+      - ./crate.yml:/crate/config/crate.yml
+      - ./keystore:/crate/config/keystore
+      - ./truststore:/crate/config/truststore
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "--insecure", "https://localhost:4200"]
+      start_period: 3s
+      interval: 0.5s
+      retries: 30
+      timeout: 30s
+
+  # https://marcopeg.com/2019/docker-compose-healthcheck/
+  start_dependencies:
+    image: dadarek/wait-for-dependencies
+    depends_on:
+      cratedb:
+        condition: service_healthy
diff --git a/operation/docker/ssl/crate.yml b/operation/docker/ssl/crate.yml
new file mode 100644
index 00000000..a6a23db7
--- /dev/null
+++ b/operation/docker/ssl/crate.yml
@@ -0,0 +1,24 @@
+auth.host_based.enabled: true
+auth:
+  host_based:
+      config:
+        1:
+          user: crate
+          method: trust
+
+        99:
+          method: password
+
+ssl.http.enabled: true
+ssl.psql.enabled: true
+ssl.keystore_filepath: /crate/config/keystore
+ssl.keystore_password: crate.io
+ssl.keystore_key_password: crate.io
+ssl.truststore_filepath: /crate/config/truststore
+ssl.truststore_password: crate.io
+
+path:
+  logs: /var/log/crate
+  data: /data/crate
+
+network.bind_host: 0.0.0.0
diff --git a/operation/docker/ssl/keystore b/operation/docker/ssl/keystore
new file mode 100644
index 0000000000000000000000000000000000000000..5843e1d4023c86373db78b4a46c288cc92639029
GIT binary patch
literal 4261
zcmeH~c{J4PAIIlw#xRU6%*dXU5Y1o|A)%`*Q%HtnAI;bslO+^$L(P>TTO?VM%9efK
zvX77o*&=IP`;wiX`rX^Pw{y?A|NPGH{&W9${&?Qc=Q-y&pY#5l=k?y1*_i=>Kn&j(
zj7-4WT9aH|$siD5y~XSE3dD$$#h{cxAaFN|0)B_0Fq9>N82|<b80dDhY@*i`cpb$C
zg-HdS4O(Rb09Hm2>K2+61%rZ(Ay94xtuttjz4N^dGaRacCpi&aeixX&3kVd?*9sOm
zn<mMcjF%<4ifTLCoJEVEgud#maD*nw+l}mcm1ONk5Y@uFS(C`lco#C77sdUx01St_
zyF1C+{&pE9iey8dK*^&N(TZp^3S-8{A&1@*<j|<!gn#~t6hQ2cZ37rVU<$wiLQwz~
z1_}Uxs^zY=wE0OFrRIOp&UdP=-JRRY+NW{(A!0-2fE9J!Oh`nmzrCHYb&_dwwmqiL
zykUEg9`!EGzM8_6zDDy%o?ULUHeQ4A*v2c;TB3v}yN)GjGzd}0T;CbhWHPA)-@0P7
z;Z)PCMzoOyA$!7u?}+Jdoi96@`-L<FDRU*?`P3VY-Fl7C;&-19Txw4fynfwKcysR^
z5#b&oI#s=a-bYq9z*c7k1%I|nLLO=|M_}ne2C(&b{~pPnQ<_zCZ2jVTy!rHYf@`vA
z$n~>3POp}ql+L?tev(i%(!;uF3sk(<b2swJeZ$+~Xl6KB#P&EixMA?p$ZK7*nm1Kf
z0~x>o2uQhr!hW-W5IY0`;h7$!J*PYS>bD2Ds2yKFF8zp^@Ej$wX8@st5Iz*b|E~++
zUkkV)j3_Vw?EbOmdsf}+IRIjqjz)&f3(5{(Y7jh9^TJO=hfiUC*HB7gV?f_Hci0N^
z%m5Q#dBAWY3RHI)?3COQL$uW00ChztEit*~KWgsVbxRY67hUg!+=1U}mQ0=-|48BP
z?P|#>G*&X5@B~R~9=>~YHRMg*4QU<BMTe2<2k(o0hoBy~;>N=s(~kb-4a&I3n3GYF
z>{<sM*w0Acx%u9Fb?HooqULbr9l?pr4aQC#UlG#`?GN*&=le4~YZkgqh;NR{e^Oq}
z=8G9T1&8P0oSi%&CdI(vClTQReDfNyw*uH>QfXn?ib@AGxKvA(<NTr?oS!bd;TA%@
zVRslxTf7@<o{$L&|KQ~{v^V?!2<na}dEiO^o%((N1Y!hG6v#G;9m*mN1t5SF0~fGo
zQV0byIch;L44SBnnTerVzK*P?n_728QQCCw)UcX)l$7Y}G?i?bx~a%klcUKv3}^rA
ziuf>^-pnaM<skQDzun{p%3%8IoT&osnX&W_3X4ucP(Dd>)QAg#N*rC_OeHL&w>ft1
zChccV9DY_t5J>WOp7-oT>#`I~B~L5O-giG;RWTyNlxbTy)wO+L(x*ooAT}*{51YGR
zzHJawY)V#;_f=TJ7TB(zz=sfL`A~ZNpU3M7=%?OaviW=MPXJ8nA<$kPT_TQ|x^d}U
zMb@(5Wh3&448QXQT18;<v77tyC1WMn`ISCN!f9K6y;#?=dkJ)RQQGT-;EKs{#Ten$
zjvFfatwor0qpmE(<KBF9ErB{WS61?L+gk-!pP6-xcOd%c?#!=LfrZNRJAMnN+OkJv
z#79N&l^$zLFq7VU#?^P}><y_$)bkick+f~j{ei3^-hu4*Gs3QSbNR%Huki&-nCuc|
zrmlj*kwT}#*e^=DScGZeJ3ABab2Lx+OyK$qj*u{@ec@OUrFi>@4d;RgZ7FkV&8iI{
zxkR`2Rh^G)YgQ3&Uga1*Lh(f&`qkB3u^ZuiNtd<u5A8(I!^~q<Ngs}lut}>qTr?$d
zS~8q`n&Y)vU%2k}3pk$NTBCo|^<uod)tZa04u^Ehh5V^dT>_s<BE#7G!DK?D&ca7I
zlUD7zkTNKJdeOKtwN%5eXKB-CC8=kq*p@@>WvFIJPUg9efE;^i(&@I*h^mh|Oaon)
zrToUVIuZwE@})MZRhBFvHQB3C9uBsB?L3CD&UU+{O>@4HT+G=00f3XPWA3pJywTjm
zSZnJhmqYAbJyws^ReUsj6A@3DLR=3D1#TxZUE|lv3uA6iaS0xgm;%x!3uKV=x&xl6
zX`2=OnlK`q(!}qgw17sL*YPO$X<yMl*P%L%#i)jgoqSS^)f~;&6J@A8|H^E=aeQ-_
ztM2TBxXtYDZcFF|wKfc!&RRLbbzkntO>IrP!tFOq)lZypwNWuP^gPKIPl!lPV$eI~
zV0X0njA&H5SKFD|zULXb;B184P5y(ymp-#wsKQ)u#;@|H(D81INhus=i2`OEF_=wd
z2gX9NA|H23c`aQiqv1jB=183+P|p)NHT0A@RAH-ht-y<7TiG5n8L|vMalkm`pv((e
z+6t7VOgY|Dk<?5rIboHc>S$f=P}JXFXQ|!J-#iavHM*Ulpkz(ebn$=IC;!U;mDVq9
z$n|LhyFy>d)<sBtL?GSdl3a;>Ef%8#6vl&ZQ!z3ejr*4Hu(xi^eG_J-m|pwbpaAI3
z<He7!gBrPtS)Pk4oE&=qd--OAfv6nz;MO|VYznp@bLV}DYCRUwYLV)%dnU#AWt059
z!c!hf2#&WTLI<l+TuDLay)mTy6#F`Bt4rpgv<YG4v0pvX1Dfl^vV>azg|Gx^qs%Xt
zrh_yLEn?G4%hFBlev<B$YqfW*wbFQx=XpX%uNmAn{Za|UvHXJjB!)iptJWmjBhKn@
zq_@oVf#qd+yQTRfXLlDGASF>h7guGTTe@Yd?uE4^4X04{H<lbdz}mXzqiSV*m9sPh
zJa;+BPSRUFR6@8rA7`&}l33ztNZzei;h0GmzztVqS%~tAIf&o0RK`7%hbJ8o?*1sV
z#yzom>w^PqPWn}|W-$I66@AAa${zmQ+`}LHJ@QH4(f07^$m;&#JNf6a;!otGaQp}I
z*%MF!{(ntp+&|LUcj0$B<NkrpL{Y-u=!_fr2RifqD?H==GoJk&`$P}<V^ruzPleo%
zkU6Jb?V#G?>+<;FU?NK%p}EGU(RN}xu#hH91_WUy<yj(Gp_W}$yRa|Z@D$5HvrndC
zoo4BZ84+98a+n^@&!}zPJ%?Jkoy?{=X8#4Jtooi~lHT-ELf+h3JR53LrNM=y=ATM0
z_WDWO_Z|1si;nvB^d?wfUu->;{nGM!dRB7LBhXgul%M+23;u3z|JnO-HUo>tt8dV5
z4vWSXc@mM8a0=|#q5=%9n14o6-jUh6T6I=AFSFHq90zaK5LuBMj#H^0Xy8fSTIQtn
zc8!-fNf^{179R23I9hL{h1J(6E3v{e!6F5m!NwCZ{h4F^ncvvw2Wx#JmFFvL3^JK?
zAhPo&*Ieb5mqEu1X<}Q7ou5bJI9Tn3d3KsB+>IUxsvS}FeBKQSO+hZ7w9-GDvSDIn
z**R`d8=99tl>vH4U6huw;f^Zj5(VikML**o)j#MPB9+$cHmki>fSv6WQ68T8iFB74
zRVrj+fHg1A6H}0=x;A&3N^Xb5@y*OytelVz)7G;zR&Vi8yb{r1k=2NUQFDv{8e@{8
z0J3TK^tl~%y=?pAox-|-i-e%Vl$S<VApVo?jRNV%W9~<DdLtm^L2Acbw%EelI1?Tv
zq?%2ei+<P-uTg|mj)BQNo-788L-&FrOGw6jIDZ}dXJ;<E>ib(~cK*#G-}2M%1Npy-
mOMf?y|7MYYv&jD`i)?5vr1ia(&$~TQM%)%SaMIL!Iqg4DvERl3

literal 0
HcmV?d00001

diff --git a/operation/docker/ssl/truststore b/operation/docker/ssl/truststore
new file mode 100644
index 0000000000000000000000000000000000000000..b75fce13d1ffe8ad42ae2744a7861cad721826d0
GIT binary patch
literal 1049
zcmezO_TO6u1_mY|W(3omB^jy7iADMOB|wqHKcd^27+53pObsj<7?`gcG%;T`XkyyE
zfSHMriHVb;<)q$%idW1(4S3l&wc0$|zVk9Na<eiR)EjaeaI!Invaks=xwsng1Lc7n
z4jwkA)S{fsJeUAGTtLh~1f+tChu66%u_RS5Ghe|yH_5|L-ar;4&dnp{TvS<5lAm6b
zSdgLMl3I{hRFa#TS7In?APiE#%)?V$oTHZv)oh?3&TD94U~FJ!Xl7_=U>YUCZ)6A*
zFfufN3Jkmxn;4algN>1ufw_s1pTVGsk&CH`k&)qmQQ_%xwc6X4Zu#cECFj85|L^~-
z6LN~4E%wVsF`?^cl&rkco%82e&%R{;{qFqq+cC%f-aj?<^76C;P3)_G^p`Dq_vKt-
z=nqbj<T+;jr>Dxjyrw_T>6mQS)BMZ92iLOOwAaT5|H?Ud(k?Sek3szA#P$v)-#`Al
zbvAt~dcd+fzog^gt!aLL&WO246@O^`e15r1X=#w$Z=gFSPb};4+JCFHQsetC<^&HJ
zndX#*;;JWN#QaXR1#<qJ({NMsroHq2_q=yhd_=dLI-ilhD6*&2<6q99FH3fPDER$Q
z-8R_AFV9_i?-ifo;EGKbL@#DX1-;zPJHNgC*!{4_XS|~hUf7@B%EZjbz_>WTzz>`R
zWcgUcSVZ33?_YT;x5oE;W1gM)Pjl_L92qMO<ber5R+&Y@K&%0~0v?b8VHQ>cW=6*U
z$YBmls=zR3WMFzTO?<)!8NEkg$7D1PuBw&yk}&!3KS)dc*InPxO^*^xR|J~Q*{2xv
zd@93{Xy%+n7pG^&d;em%Hf`Z&_WUh#Pu~7tuv~>_d+Ak{4xajxnv32)yVoRq>)Pp!
z+d?fPpO-UeJF9i-eDAq%q)OY%G$iZsff-kJ)I4A-i`a2ot?W&9!=7VS5%W#0r%vH>
zQO@FX)$XXf67&7D>l!oXNBcTtp0EAIdey5&K5~uwjSrFjch;64{CGV)^Ma1?L#yxW
zC8poE=i%8Hk(*P_625~`ZOP<`jS?T6X4W_IO<&qSVZE89qLZNQE~{C!Q)l?U*;ZB1
t(^ZwC#@7F-b7suEwG0z)R8%}j%{-yvH>*2W=Z@bd)uqx?3|4;i0RZZdjP3vc

literal 0
HcmV?d00001