From 1168dec11bffe6059cc9352ae9d94598265b3657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Holger=20Lo=CC=88sken?= Date: Thu, 28 May 2020 09:38:49 +0200 Subject: [PATCH] WIP: Implement docker secrets --- README.md | 9 +++++++++ alpine/entrypoint.sh | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/README.md b/README.md index df25e28..a1e3cf5 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,15 @@ The sample above stores the files on the post at `./docker/app/public` and `./do :warning: If using bind-mounted host directories make sure they exists and have proper rights. See [here](#create-folders-for-data-persistence) for details. +## Docker secrets + +:information_source: This feature is borrowed from [mariadb docker image](https://hub.docker.com/_/mariadb). + +As an alternative to passing sensitive information via environment variables, `_FILE` may be appended to the below listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in _/run/secrets/_ files. + +Supported are these variables: +`APP_KEY`, `API_SECRET`, `CLOUDFLARE_API_KEY`, `DB_USERNAME`, `DB_PASSWORD`, `MAIL_USERNAME`, `MAIL_PASSWORD`, `MAILGUN_SECRET`, `S3_KEY`, `S3_SECRET` + ## Debugging your Docker setup diff --git a/alpine/entrypoint.sh b/alpine/entrypoint.sh index 297012a..cdddb79 100755 --- a/alpine/entrypoint.sh +++ b/alpine/entrypoint.sh @@ -1,6 +1,27 @@ #!/usr/bin/env sh set -e +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + mysql_error "Both $var and $fileVar are set (but are exclusive)" + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- php-fpm "$@" @@ -39,4 +60,17 @@ fi chown invoiceninja:www-data /var/www/app/storage chown invoiceninja:www-data /var/www/app/public +# Initialize values that might be stored in a file +file_env 'APP_KEY' +file_env 'API_SECRET' +file_env 'CLOUDFLARE_API_KEY' +file_env 'DB_USERNAME' +file_env 'DB_PASSWORD' +file_env 'MAIL_USERNAME' +file_env 'MAIL_PASSWORD' +file_env 'MAILGUN_SECRET' +file_env 'S3_KEY' +file_env 'S3_SECRET' + + exec docker-php-entrypoint "$@"