From 8bac424b4766a6d9dee077bbdf20efc3203de1fa Mon Sep 17 00:00:00 2001 From: decentral1se Date: Wed, 30 Mar 2022 13:55:34 +0200 Subject: [PATCH] make oidc_client_secret config optional --- .env.sample | 19 ++++++++++--------- compose.oidc.yml | 22 ++++++++++++++++++++++ compose.yml | 14 +------------- entrypoint.sh.tmpl | 3 +++ 4 files changed, 36 insertions(+), 22 deletions(-) create mode 100644 compose.oidc.yml diff --git a/.env.sample b/.env.sample index f66a18c..7cd3972 100644 --- a/.env.sample +++ b/.env.sample @@ -16,7 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1 SECRET_SECRET_KEY_VERSION=v1 # length=64 SECRET_UTILS_SECRET_VERSION=v1 # length=64 SECRET_AWS_SECRET_KEY_VERSION=v1 -SECRET_OIDC_CLIENT_SECRET_VERSION=v1 AWS_ACCESS_KEY_ID= AWS_REGION= @@ -26,14 +25,6 @@ AWS_S3_UPLOAD_MAX_SIZE=26214400 AWS_S3_FORCE_PATH_STYLE=true AWS_S3_ACL=private -OIDC_CLIENT_ID= -OIDC_AUTH_URI= -OIDC_TOKEN_URI= -OIDC_USERINFO_URI= -OIDC_USERNAME_CLAIM=preferred_username -OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider" -OIDC_SCOPES="openid profile email" - # –––––––––––––––– OPTIONAL –––––––––––––––– TEAM_LOGO= @@ -76,3 +67,13 @@ ALLOWED_DOMAINS= #SMTP_REPLY_EMAIL= #SMTP_TLS_CIPHERS= #SMTP_SECURE=true + +#OIDC_ENABLED=1 +#OIDC_CLIENT_ID= +#OIDC_AUTH_URI= +#OIDC_TOKEN_URI= +#OIDC_USERINFO_URI= +#OIDC_USERNAME_CLAIM=preferred_username +#OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider" +#OIDC_SCOPES="openid profile email" +#SECRET_OIDC_CLIENT_SECRET_VERSION=v1 diff --git a/compose.oidc.yml b/compose.oidc.yml new file mode 100644 index 0000000..3e21527 --- /dev/null +++ b/compose.oidc.yml @@ -0,0 +1,22 @@ +--- +version: "3.8" + +services: + app: + secrets: + - oidc_client_secret + environment: + - OIDC_ENABLED + - OIDC_AUTH_URI + - OIDC_CLIENT_ID + - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret + - OIDC_DISPLAY_NAME + - OIDC_SCOPES + - OIDC_TOKEN_URI + - OIDC_USERINFO_URI + - OIDC_USERNAME_CLAIM + +secrets: + oidc_client_secret: + name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION} + external: true diff --git a/compose.yml b/compose.yml index 7af87eb..7271d61 100644 --- a/compose.yml +++ b/compose.yml @@ -10,7 +10,6 @@ services: secrets: - aws_secret_key - db_password - - oidc_client_secret - secret_key - utils_secret configs: @@ -29,15 +28,7 @@ services: - AWS_SECRET_KEY_FILE=/run/secrets/aws_secret_key - DATABASE_PASSWORD_FILE=/run/secrets/db_password - FORCE_HTTPS=true - - OIDC_AUTH_URI - - OIDC_CLIENT_ID - - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret - - OIDC_DISPLAY_NAME - - OIDC_SCOPES - - OIDC_TOKEN_URI - - OIDC_USERINFO_URI - - OIDC_USERNAME_CLAIM - - PGSSLMODE=disable + - PGSSLMODE=disable - REDIS_URL=redis://${STACK_NAME}_redis:6379 - SECRET_KEY_FILE=/run/secrets/secret_key - STACK_NAME @@ -86,9 +77,6 @@ secrets: aws_secret_key: name: ${STACK_NAME}_aws_secret_key_${SECRET_AWS_SECRET_KEY_VERSION} external: true - oidc_client_secret: - name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION} - external: true db_password: name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} external: true diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 51b12d5..0fc19dc 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -1,7 +1,10 @@ #!/bin/sh export AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/aws_secret_key) +{{ if eq (env "OIDC_ENABLED") "1" }} export OIDC_CLIENT_SECRET=$(cat /run/secrets/oidc_client_secret) +{{ end }} + export UTILS_SECRET=$(cat /run/secrets/utils_secret) export SECRET_KEY=$(cat /run/secrets/secret_key) export DATABASE_PASSWORD=$(cat /run/secrets/db_password)