Additional deployment options

The following examples assume Docker, but similar approaches are possible with other container orchestration mechanisms.

Deploying with SSL 

If you'd like to only allow command-over-http to listen on HTTPS (via SSL), then you can follow these steps. Typically its not needed if command-over-http is running in an air-gapped like network.

This deployment assumes there is a directory under /ssl/, on the machine that is running the docker run … command. And, that the directory has tls.crt and tls.key files in it. Then, when the container boots, command-over-HTTP can look up those files locally in the container, from the volume mapping.

docker run -it --env TINES_TUNNEL_SECRET="<secret>" \
  --env FORCE_SSL="true" \
  --env TLS_CERT_PATH="/ssl/tls.crt" \
  --env TLS_KEY_PATH="/ssl/tls.key" \
  -v /ssl:/ssl
  tines/command-over-http

Authenticating with Kerberos for PowerShell usage 

docker run -it --env KERBEROS_DEFAULT_REALM="TINES.DEV" \
    --env KERBEROS_KDC_DOMAIN="TINES.DEV" \
    --env KERBEROS_ADMIN_SERVER="TINES.DEV" \
    --env KERBEROS_PRINCIPAL_USER_NAME="administrator" \
    --env KERBEROS_PRINCIPAL_USER_PASSWORD="Password123" \
    --env TINES_TUNNEL_SECRET="TunnelSecret" \
    tines/command-over-http:latest

See ‘Passing secret values to the deployment’ below for how to pass Kerberos credentials in.

Deploying with custom DNS 

docker run \
  --env TINES_TUNNEL_SECRET="secret" \
  --dns="EnterDNSIP" \
  --add-host="EnterHostFQDN:EnterHostIP" \
  tines/tines-tunnel:latest

Passing secret values to the deployment 

In the event a credential vault or secrets need to be passed to the command-over-HTTP container during deployment, you can leverage Docker Compose secrets.

First, you’ll need to define where secrets should be pulled in from. In a directory on the container host, create a file named secrets.env. In the file enter the following information:

KERBEROS_PRINCIPAL_USER_PASSWORD=ENTER_PASSWORD_HERE

Replace the value ENTER_PASSWORD_HERE with expected credential information, in this example the Keberos service account password. Save the file. Now create a file called docker-compose.yml with the following file structure:

version: "3.8"
services:
  coh:
    image: tines/command-over-http:latest
    deploy:
      replicas: 1
    environment:
      - KERBEROS_DEFAULT_REALM=ENTER_REALM
      - KERBEROS_KDC_DOMAIN=ENTER_KDC_DOMAIN
      - KERBEROS_ADMIN_SERVER=ENTER_DC_SERVER
      - KERBEROS_PRINCIPAL_USER_NAME=ENTER_USER_ACCOUNT_NAME
    secrets:
      - secret-env
secrets:
  secret-env:
    file: ./secrets.env

💡Note

To use Docker secrets, Docker Compose must be installed on the system command-over-HTTP is being deployed on. The Docker Compose version must support Dockerfile version 3.8 (i.e Docker Compose v2.3.3).

With the file configured run the following command from the directory in which the docker-compose.yml and secrets.env files exist:

docker compose up -d

Once the command-over-HTTP container is created, validate the credentials were passed to the container by running the following command:

docker compose run coh cat /run/secrets/secret-env

The value specified in the secrets file will be returned. This process can also be used for credential vaults as well, so long as the data being read in follows this format:

KERBEROS_PRINCIPAL_USER_PASSWORD=ENTER_PASSWORD_HERE

💡Note

Was this helpful?