fixes to secret handling
This commit is contained in:
parent
c15c3ede4c
commit
6e4eeeabc5
@ -24,6 +24,7 @@
|
||||
* Populate SMTP settings by editing env variables that start with `SETTING_EMAIL`.
|
||||
* Add a valid email to `SETTING_ZULIP_ADMINISTRATOR`, this email will get error and support emails.
|
||||
* `abra app deploy <app-name>`
|
||||
> Zulip may takea while to actually become available after abra deems it to have started, please be patient
|
||||
|
||||
|
||||
|
||||
|
||||
2
abra.sh
2
abra.sh
@ -3,5 +3,5 @@ export PG_BACKUP_VERSION=v1
|
||||
export MEM_ENTRYPOINT_VERSION=v1
|
||||
export REDIS_ENTRYPOINT_VERSION=v1
|
||||
export RABBIT_HEALTHCHECK_VERSION=v1
|
||||
export RABBIT_ENTRYPOINT_VERSION=v1
|
||||
export RABBIT_CONFIG_VERSION=v1
|
||||
export REDIS_HEALTHCHECK_VERSION=v1
|
||||
26
compose.yml
26
compose.yml
@ -22,12 +22,12 @@ services:
|
||||
SETTING_REDIS_HOST: "redis"
|
||||
SETTING_EXTERNAL_HOST: ${DOMAIN}
|
||||
ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
|
||||
SECRETS_postgres_password: "/run/secrets/db_password"
|
||||
SECRETS_memcached_password: "/run/secrets/memcached_password"
|
||||
SECRETS_redis_password: "/run/secrets/redis_password"
|
||||
SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password"
|
||||
SECRETS_email_password: "/run/secrets/smtp_password"
|
||||
SECRETS_secret_key: "/run/secrets/zulip_secret"
|
||||
SECRETS_postgres_password_FILE: "/run/secrets/db_password"
|
||||
SECRETS_memcached_password_FILE: "/run/secrets/memcached_password"
|
||||
SECRETS_redis_password_FILE: "/run/secrets/redis_password"
|
||||
SECRETS_rabbitmq_password_FILE: "/run/secrets/rabbitmq_password"
|
||||
SECRETS_email_password_FILE: "/run/secrets/smtp_password"
|
||||
SECRETS_secret_key_FILE: "/run/secrets/zulip_secret"
|
||||
secrets:
|
||||
- zulip_secret
|
||||
- smtp_password
|
||||
@ -104,13 +104,12 @@ services:
|
||||
image: "rabbitmq:4.0.6"
|
||||
environment:
|
||||
RABBITMQ_DEFAULT_USER: "zulip"
|
||||
RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password"
|
||||
configs:
|
||||
- source: rabbitmq_healthcheck
|
||||
target: /healthcheck.sh
|
||||
mode: 0555
|
||||
- source: rabbitmq_entrypoint
|
||||
target: /custom-entrypoint.sh
|
||||
- source: rabbitmq_config
|
||||
target: /etc/rabbitmq/rabbitmq.conf
|
||||
mode: 0555
|
||||
secrets:
|
||||
- rabbitmq_password
|
||||
@ -134,6 +133,8 @@ services:
|
||||
target: /healthcheck.sh
|
||||
mode: 0555
|
||||
entrypoint: /custom-entrypoint.sh
|
||||
environment:
|
||||
REDIS_PASSWORD_FILE: "/run/secrets/redis_password"
|
||||
secrets:
|
||||
- redis_password
|
||||
command:
|
||||
@ -186,9 +187,10 @@ configs:
|
||||
rabbitmq_healthcheck:
|
||||
name: ${STACK_NAME}_rabbitmq_healthcheck_${RABBIT_HEALTHCHECK_VERSION}
|
||||
file: healthcheck.rabbitmq.sh
|
||||
rabbitmq_entrypoint:
|
||||
name: ${STACK_NAME}_rabbitmq_entrypoint_${RABBIT_ENTRYPOINT_VERSION}
|
||||
file: entrypoint.rabbitmq.sh.tmpl
|
||||
rabbitmq_config:
|
||||
name: ${STACK_NAME}_rabbitmq_config_${RABBIT_CONFIG_VERSION}
|
||||
file: rabbitmq.conf.tmpl
|
||||
template_driver: golang
|
||||
redis_healthcheck:
|
||||
name: ${STACK_NAME}_redis_healthcheck_${REDIS_HEALTHCHECK_VERSION}
|
||||
file: healthcheck.redis.sh
|
||||
|
||||
@ -1,77 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(<"${!fileVar}")"
|
||||
fi
|
||||
|
||||
export "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_env "RABBITMQ_DEFAULT_PASS"
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# allow the container to be started with `--user`
|
||||
if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
|
||||
if [ "$1" = 'rabbitmq-server' ]; then
|
||||
find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' +
|
||||
fi
|
||||
|
||||
exec gosu rabbitmq "$BASH_SOURCE" "$@"
|
||||
fi
|
||||
|
||||
deprecatedEnvVars=(
|
||||
RABBITMQ_DEFAULT_PASS_FILE
|
||||
RABBITMQ_DEFAULT_USER_FILE
|
||||
RABBITMQ_MANAGEMENT_SSL_CACERTFILE
|
||||
RABBITMQ_MANAGEMENT_SSL_CERTFILE
|
||||
RABBITMQ_MANAGEMENT_SSL_DEPTH
|
||||
RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT
|
||||
RABBITMQ_MANAGEMENT_SSL_KEYFILE
|
||||
RABBITMQ_MANAGEMENT_SSL_VERIFY
|
||||
RABBITMQ_SSL_CACERTFILE
|
||||
RABBITMQ_SSL_CERTFILE
|
||||
RABBITMQ_SSL_DEPTH
|
||||
RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT
|
||||
RABBITMQ_SSL_KEYFILE
|
||||
RABBITMQ_SSL_VERIFY
|
||||
RABBITMQ_VM_MEMORY_HIGH_WATERMARK
|
||||
)
|
||||
hasOldEnv=
|
||||
for old in "${deprecatedEnvVars[@]}"; do
|
||||
if [ -n "${!old:-}" ]; then
|
||||
echo >&2 "error: $old is set but deprecated"
|
||||
hasOldEnv=1
|
||||
fi
|
||||
done
|
||||
if [ -n "$hasOldEnv" ]; then
|
||||
echo >&2 'error: deprecated environment variables detected'
|
||||
echo >&2
|
||||
echo >&2 'Please use a configuration file instead; visit https://www.rabbitmq.com/configure.html to learn more'
|
||||
echo >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# if long and short hostnames are not the same, use long hostnames
|
||||
if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ]; then
|
||||
: "${RABBITMQ_USE_LONGNAME:=true}"
|
||||
fi
|
||||
|
||||
exec "$@"
|
||||
2
rabbitmq.conf.tmpl
Normal file
2
rabbitmq.conf.tmpl
Normal file
@ -0,0 +1,2 @@
|
||||
default_user = zulip
|
||||
default_pass = '{{ secret "rabbitmq_password"}}'
|
||||
Loading…
x
Reference in New Issue
Block a user