Add container restart after trust installation

zyrakq · zyrakq · commit be2b8a442c1d · 2025-08-03T00:19:16.000+03:00
Added STEP_CA_TRUST_RESTART environment variable support.
Updated docker-gen template to handle container restart option.
Updated documentation with new functionality and examples.

Enables applications requiring restart to properly load new
trust certificates when runtime certificate store updates
are insufficient for proper SSL/TLS functionality.
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ services:
     image: alpine:3.18
     environment:
       - STEP_CA_TRUST=true
+      - STEP_CA_TRUST_RESTART=true  # Restart after certificate installation
     command: |
       sh -c "
         apk add --no-cache curl &&
@@ -436,7 +437,8 @@ graph TB
 
 For containers that need trust certificates:
 
-- `STEP_CA_TRUST`: Set to `true` to install step-ca trust certificate
+- `STEP_CA_TRUST`: Set to `true` to install step-ca trust certificate bundle
+- `STEP_CA_TRUST_RESTART`: Set to `true` to restart container after certificate installation
 
 ## 🔍 Automatic step-ca Discovery
 
@@ -507,7 +509,32 @@ services:
   my-app:
     image: nginx:alpine
     environment:
-      STEP_CA_TRUST: "true"  # Enables automatic trust certificate installation
+      STEP_CA_TRUST: "true"         # Enables automatic trust certificate installation
+      STEP_CA_TRUST_RESTART: "true" # Restart container after certificate installation
+    networks:
+      - step-ca-network
+```
+
+### Certificate Bundle Details
+
+The trust certificate installation now includes both root and intermediate certificates:
+
+- **Root Certificate**: `/home/step/certs/root_ca.crt` from step-ca container
+- **Intermediate Certificate**: `/home/step/certs/intermediate_ca.crt` from step-ca container
+- **Bundle**: Combined certificate file containing both certificates for complete PKI trust chain
+
+### Container Restart Option
+
+Some applications may require a restart to properly load new trust certificates. Use `STEP_CA_TRUST_RESTART=true` to automatically restart the container after certificate installation:
+
+```yaml
+services:
+  # Application that needs restart after certificate installation
+  secure-app:
+    image: myapp:latest
+    environment:
+      STEP_CA_TRUST: "true"
+      STEP_CA_TRUST_RESTART: "true"  # Container will be restarted after certificate installation
     networks:
       - step-ca-network
 ```
@@ -529,8 +556,9 @@ services:
 3. **OS Detection**: Automatically detects container operating system
 4. **Certificate Retrieval**: Gets step-ca root and intermediate certificates bundle
 5. **Package Installation**: Installs `ca-certificates` package if needed
-6. **Trust Installation**: Copies certificate and updates trust store
-7. **Verification**: Tests HTTPS connectivity to step-ca
+6. **Trust Installation**: Copies certificate bundle and updates trust store
+7. **Container Restart**: Optionally restarts container if `STEP_CA_TRUST_RESTART=true`
+8. **Verification**: Tests HTTPS connectivity to step-ca
 
 ### Example: Microservices with Trust
 
diff --git a/app/scripts/trust-functions.sh b/app/scripts/trust-functions.sh
@@ -352,6 +352,40 @@ verify_trust_installation() {
     fi
 }
 
+# Restart container after certificate installation
+restart_container_after_trust() {
+    local container_id="$1"
+    local container_name="$2"
+    
+    log_trust "Restarting container $container_name after certificate installation..."
+    
+    # Check if container is still running before restart
+    if ! is_container_running "$container_id"; then
+        log_trust "WARNING: Container $container_name is not running, skipping restart"
+        return 1
+    fi
+    
+    # Restart the container
+    if docker restart "$container_id" >/dev/null 2>&1; then
+        log_trust "Successfully restarted container $container_name"
+        
+        # Wait a moment for container to be ready after restart
+        sleep 2
+        
+        # Verify container is running after restart
+        if is_container_running "$container_id"; then
+            log_trust "Container $container_name is running after restart"
+            return 0
+        else
+            log_trust "WARNING: Container $container_name failed to start after restart"
+            return 1
+        fi
+    else
+        log_trust "ERROR: Failed to restart container $container_name"
+        return 1
+    fi
+}
+
 # Process trust installation for containers with STEP_CA_TRUST=true
 process_trust_containers() {
     log_trust "Processing trust certificate installation for containers..."
diff --git a/app/templates/trust-containers.tmpl b/app/templates/trust-containers.tmpl
@@ -21,6 +21,17 @@ log "Processing trust certificate for container: {{$container.Name}} (ID: {{$con
 install_trust_certificate "{{$container.ID}}" "{{$container.Name}}"
 if [ $? -eq 0 ]; then
     log "Trust certificate successfully installed in container: {{$container.Name}}"
+    {{if $container.Env.STEP_CA_TRUST_RESTART}}
+    log "Container {{$container.Name}} has STEP_CA_TRUST_RESTART=true, restarting..."
+    restart_container_after_trust "{{$container.ID}}" "{{$container.Name}}"
+    if [ $? -eq 0 ]; then
+        log "Container {{$container.Name}} successfully restarted after certificate installation"
+    else
+        log "WARNING: Failed to restart container {{$container.Name}} after certificate installation"
+    fi
+    {{else}}
+    log "Container {{$container.Name}} does not require restart (STEP_CA_TRUST_RESTART not set)"
+    {{end}}
 else
     log "Failed to install trust certificate in container: {{$container.Name}}"
 fi
