use recommended script to expose secrets

2025-02-13 00:35:23 -05:00 · 2025-02-13 00:35:23 -05:00 · c15c3ede4c
commit c15c3ede4c
parent c1e94f73f7
5 changed files with 87 additions and 43 deletions
--- a/compose.yml
+++ b/compose.yml
@ -22,6 +22,12 @@ services:
      SETTING_REDIS_HOST: "redis"
      SETTING_EXTERNAL_HOST: ${DOMAIN}
      ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
+      SECRETS_postgres_password: "/run/secrets/db_password"
+      SECRETS_memcached_password: "/run/secrets/memcached_password"
+      SECRETS_redis_password: "/run/secrets/redis_password"
+      SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password"
+      SECRETS_email_password: "/run/secrets/smtp_password"
+      SECRETS_secret_key: "/run/secrets/zulip_secret"
    secrets:
      - zulip_secret
      - smtp_password
@ -98,6 +104,7 @@ services:
    image: "rabbitmq:4.0.6"
    environment:
      RABBITMQ_DEFAULT_USER: "zulip"
+      RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password"
    configs:
      - source: rabbitmq_healthcheck
        target: /healthcheck.sh
@ -109,6 +116,11 @@ services:
      - rabbitmq_password
    volumes:
      - "rabbitmq:/var/lib/rabbitmq:rw"
+    healthcheck:
+      test: [ "CMD-SHELL", "/healthcheck.sh" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
    networks:
      - internal

--- a/entrypoint.memcached.sh.tmpl
+++ b/entrypoint.memcached.sh.tmpl
@ -3,7 +3,7 @@
 set -e

 if [ -f /run/secrets/memcached_password ]; then
-  export MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password)
+  export "MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password)"
 else
  echo "memcached_password not found, skipping."
 fi
--- a/entrypoint.rabbitmq.sh.tmpl
+++ b/entrypoint.rabbitmq.sh.tmpl
@ -1,10 +1,30 @@
 #!/usr/bin/env bash

-if [ -f /run/secrets/rabbitmq_password ]; then
-  export RABBITMQ_DEFAULT_PASS=$(cat /run/secrets/rabbitmq_password)
-else
-  echo "rabbitmq_password not found, skipping."
-fi
+set -e
+
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+
+	local val="$def"
+
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(<"${!fileVar}")"
+	fi
+
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env "RABBITMQ_DEFAULT_PASS"

 set -euo pipefail

@ -54,4 +74,4 @@ if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ];
 	: "${RABBITMQ_USE_LONGNAME:=true}"
 fi

-exec "$@"
+exec "$@"
--- a/entrypoint.redis.sh.tmpl
+++ b/entrypoint.redis.sh.tmpl
@ -1,12 +1,30 @@
-#!/bin/sh
+#!/bin/bash

 set -e

-if [ -f /run/secrets/redis_password ]; then
-  export REDIS_PASSWORD=$(cat /run/secrets/redis_password)
-else
-  echo "redis_password not found, skipping."
-fi
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "REDIS_PASSWORD"


 # first arg is `-f` or `--some-option`
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -7,41 +7,35 @@ fi
 set -e
 shopt -s extglob

-if [ -f /run/secrets/db_password ]; then
-  export SECRETS_postgres_password=$(cat /run/secrets/db_password)
-else
-  echo "db_password not found, skipping."
-fi

-if [ -f /run/secrets/memcached_password ]; then
-  export SECRETS_memcached_password=$(cat /run/secrets/memcached_password)
-else
-  echo "memcached_password not found, skipping."
-fi
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"

-if [ -f /run/secrets/redis_password ]; then
-  export SECRETS_redis_password=$(cat /run/secrets/redis_password)
-else
-  echo "redis_password not found, skipping."
-fi
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi

-if [ -f /run/secrets/rabbitmq_password ]; then
-  export SECRETS_rabbitmq_password=$(cat /run/secrets/rabbitmq_password)
-else
-  echo "rabbitmq_password not found, skipping."
-fi
+   local val="$def"

-if [ -f /run/secrets/smtp_password ]; then
-  export SECRETS_email_password=$(cat /run/secrets/smtp_password)
-else
-  echo "smtp_password not found, skipping."
-fi
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi

-if [ -f /run/secrets/zulip_secret ]; then
-  export SECRETS_secret_key=$(cat /run/secrets/zulip_secret)
-else
-  echo "zulip_secret not found, skipping."
-fi
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "SECRETS_postgres_password"
+file_env "SECRETS_memcached_password"
+file_env "SECRETS_redis_password"
+file_env "SECRETS_rabbitmq_password"
+file_env "SECRETS_email_password"
+file_env "SECRETS_secret_key"

 # DB aka Database
 DB_HOST="${DB_HOST:-127.0.0.1}"