working on secrets

.env.sample

@@ -10,9 +10,9 @@ LETS_ENCRYPT_ENV=production
 ##############################################################################
 # SECRETS
 ##############################################################################
-SECRET_DJANGO_SECRET_KEY=v1
-SECRET_OIDC_RP_CLIENT_SECRET=v1
-SECRET_DJANGO_SUPERUSER_PASSWORD=v1
+SECRET_DJANGO_SECRET_KEY_VERSION=v1
+SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1
+SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1
 
 ##############################################################################
 # BASIC SETTINGS 

abra.sh

@@ -2,6 +2,7 @@
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
 export NGINX_CONF_VERSION=v2
 export PG_BACKUP_VERSION=v3
+export ENTRYPOINT_VERSION=v1
 
 # environment() {
 #   # TODO: Add file_env here

compose.yml

@@ -5,9 +5,9 @@
 x-common-env: &common-env
   DJANGO_CONFIGURATION: Production
   DJANGO_ALLOWED_HOSTS: "*"
-  DJANGO_SECRET_KEY:
+  XX_DJANGO_SECRET_KEY:
   DJANGO_SETTINGS_MODULE: impress.settings
-  DJANGO_SUPERUSER_PASSWORD:
+  XX_DJANGO_SUPERUSER_PASSWORD:
   # Logging
   # Set to DEBUG level for dev only
   LOGGING_LEVEL_HANDLERS_CONSOLE:
@@ -38,7 +38,7 @@ x-common-env: &common-env
   OIDC_OP_TOKEN_ENDPOINT:
   OIDC_OP_USER_ENDPOINT:
   OIDC_RP_CLIENT_ID:
-  OIDC_RP_CLIENT_SECRET:
+  XX_OIDC_RP_CLIENT_SECRET:
   OIDC_RP_SIGN_ALGO:
   OIDC_RP_SCOPES:
   LOGIN_REDIRECT_URL:
@@ -113,6 +113,11 @@ services:
       timeout: 30s
       retries: 20
       start_period: 10s
+    entrypoint: /abra-lasuite-entrypoint.sh
+    configs:
+      - source: abra_lasuite_entrypoint
+        target: /abra-lasuite-entrypoint.sh
+        mode: 0555
 
   celery:
     image: lasuite/impress-backend:v3.4.2
@@ -121,6 +126,11 @@ services:
     command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"]
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
+    entrypoint: /abra-lasuite-entrypoint.sh
+    configs:
+      - source: abra_lasuite_entrypoint
+        target: /abra-lasuite-entrypoint.sh
+        mode: 0555
 
   y-provider:
     image: lasuite/impress-y-provider:v3.4.2
@@ -229,3 +239,17 @@ configs:
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
+  abra_lasuite_entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  django_secret_key:
+    external: true
+    name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION}
+  oidc_rp_client_secret:
+    external: true
+    name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION}
+  django_superuser_password:
+    external: true
+    name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION}

entrypoint.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "DJANGO_SECRET_KEY"
+file_env "OIDC_RP_CLIENT_SECRET"
+file_env "DJANGO_SUPERUSER_PASSWORD"
+# file_env "MINIO_ROOT_PASSWORD"
+# file_env "COLLABORATION_SERVER_SECRET"
+# file_env "POSTGRES_PASSWORD"
+# file_env "DB_PASSWORD"
+# file_env "AWS_S3_SECRET_ACCESS_KEY"
+
+# Execute the actual command (from command: in compose.yml)
+exec "$@"
+