fixes to secret handling
This commit is contained in:
parent
c15c3ede4c
commit
6e4eeeabc5
@ -24,6 +24,7 @@
|
|||||||
* Populate SMTP settings by editing env variables that start with `SETTING_EMAIL`.
|
* Populate SMTP settings by editing env variables that start with `SETTING_EMAIL`.
|
||||||
* Add a valid email to `SETTING_ZULIP_ADMINISTRATOR`, this email will get error and support emails.
|
* Add a valid email to `SETTING_ZULIP_ADMINISTRATOR`, this email will get error and support emails.
|
||||||
* `abra app deploy <app-name>`
|
* `abra app deploy <app-name>`
|
||||||
|
> Zulip may takea while to actually become available after abra deems it to have started, please be patient
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
2
abra.sh
2
abra.sh
@ -3,5 +3,5 @@ export PG_BACKUP_VERSION=v1
|
|||||||
export MEM_ENTRYPOINT_VERSION=v1
|
export MEM_ENTRYPOINT_VERSION=v1
|
||||||
export REDIS_ENTRYPOINT_VERSION=v1
|
export REDIS_ENTRYPOINT_VERSION=v1
|
||||||
export RABBIT_HEALTHCHECK_VERSION=v1
|
export RABBIT_HEALTHCHECK_VERSION=v1
|
||||||
export RABBIT_ENTRYPOINT_VERSION=v1
|
export RABBIT_CONFIG_VERSION=v1
|
||||||
export REDIS_HEALTHCHECK_VERSION=v1
|
export REDIS_HEALTHCHECK_VERSION=v1
|
||||||
26
compose.yml
26
compose.yml
@ -22,12 +22,12 @@ services:
|
|||||||
SETTING_REDIS_HOST: "redis"
|
SETTING_REDIS_HOST: "redis"
|
||||||
SETTING_EXTERNAL_HOST: ${DOMAIN}
|
SETTING_EXTERNAL_HOST: ${DOMAIN}
|
||||||
ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
|
ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
|
||||||
SECRETS_postgres_password: "/run/secrets/db_password"
|
SECRETS_postgres_password_FILE: "/run/secrets/db_password"
|
||||||
SECRETS_memcached_password: "/run/secrets/memcached_password"
|
SECRETS_memcached_password_FILE: "/run/secrets/memcached_password"
|
||||||
SECRETS_redis_password: "/run/secrets/redis_password"
|
SECRETS_redis_password_FILE: "/run/secrets/redis_password"
|
||||||
SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password"
|
SECRETS_rabbitmq_password_FILE: "/run/secrets/rabbitmq_password"
|
||||||
SECRETS_email_password: "/run/secrets/smtp_password"
|
SECRETS_email_password_FILE: "/run/secrets/smtp_password"
|
||||||
SECRETS_secret_key: "/run/secrets/zulip_secret"
|
SECRETS_secret_key_FILE: "/run/secrets/zulip_secret"
|
||||||
secrets:
|
secrets:
|
||||||
- zulip_secret
|
- zulip_secret
|
||||||
- smtp_password
|
- smtp_password
|
||||||
@ -104,13 +104,12 @@ services:
|
|||||||
image: "rabbitmq:4.0.6"
|
image: "rabbitmq:4.0.6"
|
||||||
environment:
|
environment:
|
||||||
RABBITMQ_DEFAULT_USER: "zulip"
|
RABBITMQ_DEFAULT_USER: "zulip"
|
||||||
RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password"
|
|
||||||
configs:
|
configs:
|
||||||
- source: rabbitmq_healthcheck
|
- source: rabbitmq_healthcheck
|
||||||
target: /healthcheck.sh
|
target: /healthcheck.sh
|
||||||
mode: 0555
|
mode: 0555
|
||||||
- source: rabbitmq_entrypoint
|
- source: rabbitmq_config
|
||||||
target: /custom-entrypoint.sh
|
target: /etc/rabbitmq/rabbitmq.conf
|
||||||
mode: 0555
|
mode: 0555
|
||||||
secrets:
|
secrets:
|
||||||
- rabbitmq_password
|
- rabbitmq_password
|
||||||
@ -134,6 +133,8 @@ services:
|
|||||||
target: /healthcheck.sh
|
target: /healthcheck.sh
|
||||||
mode: 0555
|
mode: 0555
|
||||||
entrypoint: /custom-entrypoint.sh
|
entrypoint: /custom-entrypoint.sh
|
||||||
|
environment:
|
||||||
|
REDIS_PASSWORD_FILE: "/run/secrets/redis_password"
|
||||||
secrets:
|
secrets:
|
||||||
- redis_password
|
- redis_password
|
||||||
command:
|
command:
|
||||||
@ -186,9 +187,10 @@ configs:
|
|||||||
rabbitmq_healthcheck:
|
rabbitmq_healthcheck:
|
||||||
name: ${STACK_NAME}_rabbitmq_healthcheck_${RABBIT_HEALTHCHECK_VERSION}
|
name: ${STACK_NAME}_rabbitmq_healthcheck_${RABBIT_HEALTHCHECK_VERSION}
|
||||||
file: healthcheck.rabbitmq.sh
|
file: healthcheck.rabbitmq.sh
|
||||||
rabbitmq_entrypoint:
|
rabbitmq_config:
|
||||||
name: ${STACK_NAME}_rabbitmq_entrypoint_${RABBIT_ENTRYPOINT_VERSION}
|
name: ${STACK_NAME}_rabbitmq_config_${RABBIT_CONFIG_VERSION}
|
||||||
file: entrypoint.rabbitmq.sh.tmpl
|
file: rabbitmq.conf.tmpl
|
||||||
|
template_driver: golang
|
||||||
redis_healthcheck:
|
redis_healthcheck:
|
||||||
name: ${STACK_NAME}_redis_healthcheck_${REDIS_HEALTHCHECK_VERSION}
|
name: ${STACK_NAME}_redis_healthcheck_${REDIS_HEALTHCHECK_VERSION}
|
||||||
file: healthcheck.redis.sh
|
file: healthcheck.redis.sh
|
||||||
|
|||||||
@ -1,77 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
file_env() {
|
|
||||||
local var="$1"
|
|
||||||
local fileVar="${var}_FILE"
|
|
||||||
local def="${2:-}"
|
|
||||||
|
|
||||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
|
||||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
local val="$def"
|
|
||||||
|
|
||||||
if [ "${!var:-}" ]; then
|
|
||||||
val="${!var}"
|
|
||||||
elif [ "${!fileVar:-}" ]; then
|
|
||||||
val="$(<"${!fileVar}")"
|
|
||||||
fi
|
|
||||||
|
|
||||||
export "$var"="$val"
|
|
||||||
unset "$fileVar"
|
|
||||||
}
|
|
||||||
|
|
||||||
file_env "RABBITMQ_DEFAULT_PASS"
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
# allow the container to be started with `--user`
|
|
||||||
if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
|
|
||||||
if [ "$1" = 'rabbitmq-server' ]; then
|
|
||||||
find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' +
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec gosu rabbitmq "$BASH_SOURCE" "$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
deprecatedEnvVars=(
|
|
||||||
RABBITMQ_DEFAULT_PASS_FILE
|
|
||||||
RABBITMQ_DEFAULT_USER_FILE
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_CACERTFILE
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_CERTFILE
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_DEPTH
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_KEYFILE
|
|
||||||
RABBITMQ_MANAGEMENT_SSL_VERIFY
|
|
||||||
RABBITMQ_SSL_CACERTFILE
|
|
||||||
RABBITMQ_SSL_CERTFILE
|
|
||||||
RABBITMQ_SSL_DEPTH
|
|
||||||
RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT
|
|
||||||
RABBITMQ_SSL_KEYFILE
|
|
||||||
RABBITMQ_SSL_VERIFY
|
|
||||||
RABBITMQ_VM_MEMORY_HIGH_WATERMARK
|
|
||||||
)
|
|
||||||
hasOldEnv=
|
|
||||||
for old in "${deprecatedEnvVars[@]}"; do
|
|
||||||
if [ -n "${!old:-}" ]; then
|
|
||||||
echo >&2 "error: $old is set but deprecated"
|
|
||||||
hasOldEnv=1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if [ -n "$hasOldEnv" ]; then
|
|
||||||
echo >&2 'error: deprecated environment variables detected'
|
|
||||||
echo >&2
|
|
||||||
echo >&2 'Please use a configuration file instead; visit https://www.rabbitmq.com/configure.html to learn more'
|
|
||||||
echo >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# if long and short hostnames are not the same, use long hostnames
|
|
||||||
if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ]; then
|
|
||||||
: "${RABBITMQ_USE_LONGNAME:=true}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec "$@"
|
|
||||||
2
rabbitmq.conf.tmpl
Normal file
2
rabbitmq.conf.tmpl
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
default_user = zulip
|
||||||
|
default_pass = '{{ secret "rabbitmq_password"}}'
|
||||||
Loading…
x
Reference in New Issue
Block a user