custom entrypoint for secrets

2022-06-01 10:58:57 +02:00 · 2022-06-01 10:58:57 +02:00 · 85a460cf3f
parent 345f35dfee
commit 85a460cf3f
4 changed files with 65 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -6,3 +6,9 @@ DOMAIN=seafile.example.com
 #EXTRA_DOMAINS=', `www.seafile.example.com`'

 LETS_ENCRYPT_ENV=production
+
+TIME_ZONE=Etc/UTC
+SEAFILE_ADMIN_EMAIL=me@example.com
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_SEAFILE_ADMIN_PASSWORD_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -11,12 +11,20 @@ services:
      - data:/shared
    environment:
      - DB_HOST=db
-      - DB_ROOT_PASSWD=db_dev
-      - TIME_ZONE=Etc/UTC 
-      - SEAFILE_ADMIN_EMAIL=me@example.com
-      - SEAFILE_ADMIN_PASSWORD=asecret
+      - DB_ROOT_PASSWD_FILE=/run/secrets/db_root_password
+      - TIME_ZONE
+      - SEAFILE_ADMIN_EMAIL
+      - SEAFILE_ADMIN_PASSWORD_FILE=/run/secrets/seafile_admin_password
      - SEAFILE_SERVER_LETSENCRYPT=false
      # - SEAFILE_SERVER_HOSTNAME=docs.seafile.com # Specifies your host name if https is enabled.
+    configs:
+      - source: entrypoint
+        target: /scripts/custom-entrypoint.sh
+        mode: 0555
+    secrets:
+      - db_root_password
+      - seafile_admin_password
+    entrypoint: /scripts/custom-entrypoint.sh
    deploy:
      restart_policy:
        condition: on-failure
@ -37,10 +45,12 @@ services:
  db:
    image: mariadb:10.5
    environment:
-      - MYSQL_ROOT_PASSWORD=db_dev
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
      - MYSQL_LOG_CONSOLE=true
    volumes:
      - db:/var/lib/mysql
+    secrets:
+      - db_root_password

  memcached:
    image: memcached:1.6
@ -54,3 +64,17 @@ networks:
  default:
  proxy:
    external: true
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  seafile_admin_password:
+    external: true
+    name: ${STACK_NAME}_seafile_admin_password_${SECRET_SEAFILE_ADMIN_PASSWORD_VERSION}
+  
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "DB_ROOT_PASSWD"
+file_env "SEAFILE_ADMIN_PASSWORD"
+bash -c "/sbin/my_init -- /scripts/enterpoint.sh"