Merge pull request #51 from Collaborne/pr/mount-selinux

Use ':z' modifier for mounts

Author: pieterlange

README.md

@@ -13,13 +13,13 @@ The main motivator for this project was having the ability to route service requ
 ## Usage
 First, you need to initialize your PKI infrastructure. Easyrsa is bundled in this container, so this is fairly easy. Replace `OVPN_SERVER_URL` with your endpoint to-be.
 ```
-$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn -ti ptlange/openvpn ovpn_initpki
+$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn:z -ti ptlange/openvpn ovpn_initpki
 ```
 Follow the instructions on screen. Remember (or better: securely store) your secure password for the CA. You are now left with a `pki` folder in your current working directory.
 
 Generate the initial Certificate Revocation List. This file needs to be updated every `$EASYRSA_CRL_DAYS`. All clients will be blocked when this file expires.
 ```
-$ docker run --user=$(id -u) -e EASYRSA_CRL_DAYS=180 -v $PWD:/etc/openvpn -ti ptlange/openvpn easyrsa gen-crl
+$ docker run --user=$(id -u) -e EASYRSA_CRL_DAYS=180 -v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa gen-crl
 ```
 
 
@@ -63,8 +63,8 @@ With the pki still in `$PWD/pki` we can create a new VPN user and grab the `.ovp
 
 ```
 # Generate VPN client credentials for CLIENTNAME without password protection; leave 'nopass' out to enter password
-$ docker run --user=$(id -u) -v $PWD:/etc/openvpn -ti ptlange/openvpn easyrsa build-client-full CLIENTNAME nopass
-$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn --rm ptlange/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+$ docker run --user=$(id -u) -v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa build-client-full CLIENTNAME nopass
+$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn:z --rm ptlange/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
 ```
 
 `CLIENTNAME.ovpn` can now be used to connect to the cluster and interact with k8s services and pods directly. Whoohoo!

kube/deploy.sh

@@ -22,7 +22,7 @@ OVPN_PORT="${OVPN_PORT:-1194}"
 if [ ! -d pki ]; then
     echo "This script requires a directory named 'pki' in the current working directory, populated with a CA generated by easyrsa"
     echo "You can easily generate this. Execute the following command and follow the instructions on screen:"
-    echo "docker run -e OVPN_SERVER_URL=$serverurl -v $PWD:/etc/openvpn -ti ptlange/openvpn ovpn_initpki"
+    echo "docker run -e OVPN_SERVER_URL=$serverurl -v $PWD:/etc/openvpn:z -ti ptlange/openvpn ovpn_initpki"
     exit 1
 fi