From 51c939dd2cc5e5539009043c9723a58a7cd9794f Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 31 Oct 2025 13:14:12 -0400 Subject: [PATCH] working on secrets --- .env.sample | 6 +++--- abra.sh | 1 + compose.yml | 30 +++++++++++++++++++++++++++--- entrypoint.sh | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 entrypoint.sh diff --git a/.env.sample b/.env.sample index 972f822..d9f65b4 100644 --- a/.env.sample +++ b/.env.sample @@ -10,9 +10,9 @@ LETS_ENCRYPT_ENV=production ############################################################################## # SECRETS ############################################################################## -SECRET_DJANGO_SECRET_KEY=v1 -SECRET_OIDC_RP_CLIENT_SECRET=v1 -SECRET_DJANGO_SUPERUSER_PASSWORD=v1 +SECRET_DJANGO_SECRET_KEY_VERSION=v1 +SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1 +SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1 ############################################################################## # BASIC SETTINGS diff --git a/abra.sh b/abra.sh index f2314ad..2fbc127 100755 --- a/abra.sh +++ b/abra.sh @@ -2,6 +2,7 @@ # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 +export ENTRYPOINT_VERSION=v1 # environment() { # # TODO: Add file_env here diff --git a/compose.yml b/compose.yml index 2fe157d..5da2887 100644 --- a/compose.yml +++ b/compose.yml @@ -5,9 +5,9 @@ x-common-env: &common-env DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: + XX_DJANGO_SECRET_KEY: DJANGO_SETTINGS_MODULE: impress.settings - DJANGO_SUPERUSER_PASSWORD: + XX_DJANGO_SUPERUSER_PASSWORD: # Logging # Set to DEBUG level for dev only LOGGING_LEVEL_HANDLERS_CONSOLE: @@ -38,7 +38,7 @@ x-common-env: &common-env OIDC_OP_TOKEN_ENDPOINT: OIDC_OP_USER_ENDPOINT: OIDC_RP_CLIENT_ID: - OIDC_RP_CLIENT_SECRET: + XX_OIDC_RP_CLIENT_SECRET: OIDC_RP_SIGN_ALGO: OIDC_RP_SCOPES: LOGIN_REDIRECT_URL: @@ -113,6 +113,11 @@ services: timeout: 30s retries: 20 start_period: 10s + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 celery: image: lasuite/impress-backend:v3.4.2 @@ -121,6 +126,11 @@ services: command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"] environment: <<: [*common-env, *postgres-env, *yprovider-env] + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 y-provider: image: lasuite/impress-y-provider:v3.4.2 @@ -229,3 +239,17 @@ configs: pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh + abra_lasuite_entrypoint: + name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + file: entrypoint.sh + +secrets: + django_secret_key: + external: true + name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION} + oidc_rp_client_secret: + external: true + name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION} + django_superuser_password: + external: true + name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..c302740 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "DJANGO_SECRET_KEY" +file_env "OIDC_RP_CLIENT_SECRET" +file_env "DJANGO_SUPERUSER_PASSWORD" +# file_env "MINIO_ROOT_PASSWORD" +# file_env "COLLABORATION_SERVER_SECRET" +# file_env "POSTGRES_PASSWORD" +# file_env "DB_PASSWORD" +# file_env "AWS_S3_SECRET_ACCESS_KEY" + +# Execute the actual command (from command: in compose.yml) +exec "$@" +