A secure ambassador for Docker containers by Sojourn Labs. This repository contains a Dockerfile for building a Docker image that implements the ambassador pattern and wrapper scripts. This particular ambassador implementation includes automatic configuration using the Docker API and etcd. Communication is encrypted using OpenSSL. Thus, in order to use this, each host machine must have client and/or server certificates as appropriate.

To activate the server, call the ambassador image with the server argument:

docker run -t -i --rm -v /var/run/docker.sock:/var/run/docker.sock
                      -v path/to/ca/certificate:/vapr/certstore/ca.crt:ro \
                      -v path/to/server/certificate:/vapr/certstore/server.crt:ro \
                      -v path/to/server/key:/vapr/keys/server.key:ro \
                      -p p1 -p p2 -p p3 ... -p pn \
                      sojournlabs/ambassador server container_name external_ip

where container_name is the name of the container to expose and external_ip is the ip address of the host computer. p1 ... pn are arbitrary port numbers. n must be at least equal to the number of ports exposed by container.

To activate the client, call the ambassador image with the client argument:

docker run -t -i --rm -v /var/run/docker.sock:/var/run/docker.sock
                      -v path/to/ca/certificate:/vapr/certstore/ca.crt:ro \
                      -v path/to/client/certificate:/vapr/certstore/client.crt:ro \
                      -v path/to/client/key:/vapr/keys/client.key:ro \
                      sojournlabs/ambassador client container_name

where container_name is the name of the container to connect to.

To start the server, run

TLS_KEY=path/to/key ./server container_name external_ip

where container_name is the name of the container with services to be made public.

To start the client, run

TLS_KEY=path/to/key ./client container_name

where container_name is the name of the container with services to be made public.