From c15c3ede4cdd814f3a7c4419667aa266777554b4 Mon Sep 17 00:00:00 2001 From: brooke Date: Thu, 13 Feb 2025 00:35:23 -0500 Subject: [PATCH] use recommended script to expose secrets --- compose.yml | 12 ++++++++ entrypoint.memcached.sh.tmpl | 2 +- entrypoint.rabbitmq.sh.tmpl | 32 +++++++++++++++++---- entrypoint.redis.sh.tmpl | 30 ++++++++++++++++---- entrypoint.sh.tmpl | 54 ++++++++++++++++-------------------- 5 files changed, 87 insertions(+), 43 deletions(-) diff --git a/compose.yml b/compose.yml index 7815181..fd179ca 100644 --- a/compose.yml +++ b/compose.yml @@ -22,6 +22,12 @@ services: SETTING_REDIS_HOST: "redis" SETTING_EXTERNAL_HOST: ${DOMAIN} ZULIP_AUTH_BACKENDS: "EmailAuthBackend" + SECRETS_postgres_password: "/run/secrets/db_password" + SECRETS_memcached_password: "/run/secrets/memcached_password" + SECRETS_redis_password: "/run/secrets/redis_password" + SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password" + SECRETS_email_password: "/run/secrets/smtp_password" + SECRETS_secret_key: "/run/secrets/zulip_secret" secrets: - zulip_secret - smtp_password @@ -98,6 +104,7 @@ services: image: "rabbitmq:4.0.6" environment: RABBITMQ_DEFAULT_USER: "zulip" + RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password" configs: - source: rabbitmq_healthcheck target: /healthcheck.sh @@ -109,6 +116,11 @@ services: - rabbitmq_password volumes: - "rabbitmq:/var/lib/rabbitmq:rw" + healthcheck: + test: [ "CMD-SHELL", "/healthcheck.sh" ] + interval: 10s + timeout: 5s + retries: 5 networks: - internal diff --git a/entrypoint.memcached.sh.tmpl b/entrypoint.memcached.sh.tmpl index f09f0b1..6636c99 100644 --- a/entrypoint.memcached.sh.tmpl +++ b/entrypoint.memcached.sh.tmpl @@ -3,7 +3,7 @@ set -e if [ -f /run/secrets/memcached_password ]; then - export MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password) + export "MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password)" else echo "memcached_password not found, skipping." fi diff --git a/entrypoint.rabbitmq.sh.tmpl b/entrypoint.rabbitmq.sh.tmpl index 277ed13..38fdcfd 100644 --- a/entrypoint.rabbitmq.sh.tmpl +++ b/entrypoint.rabbitmq.sh.tmpl @@ -1,10 +1,30 @@ #!/usr/bin/env bash -if [ -f /run/secrets/rabbitmq_password ]; then - export RABBITMQ_DEFAULT_PASS=$(cat /run/secrets/rabbitmq_password) -else - echo "rabbitmq_password not found, skipping." -fi +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(<"${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "RABBITMQ_DEFAULT_PASS" set -euo pipefail @@ -54,4 +74,4 @@ if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ]; : "${RABBITMQ_USE_LONGNAME:=true}" fi -exec "$@" \ No newline at end of file +exec "$@" diff --git a/entrypoint.redis.sh.tmpl b/entrypoint.redis.sh.tmpl index 9e2cf82..e3a6cb8 100644 --- a/entrypoint.redis.sh.tmpl +++ b/entrypoint.redis.sh.tmpl @@ -1,12 +1,30 @@ -#!/bin/sh +#!/bin/bash set -e -if [ -f /run/secrets/redis_password ]; then - export REDIS_PASSWORD=$(cat /run/secrets/redis_password) -else - echo "redis_password not found, skipping." -fi +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "REDIS_PASSWORD" # first arg is `-f` or `--some-option` diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 101179a..653b83d 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -7,41 +7,35 @@ fi set -e shopt -s extglob -if [ -f /run/secrets/db_password ]; then - export SECRETS_postgres_password=$(cat /run/secrets/db_password) -else - echo "db_password not found, skipping." -fi -if [ -f /run/secrets/memcached_password ]; then - export SECRETS_memcached_password=$(cat /run/secrets/memcached_password) -else - echo "memcached_password not found, skipping." -fi +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" -if [ -f /run/secrets/redis_password ]; then - export SECRETS_redis_password=$(cat /run/secrets/redis_password) -else - echo "redis_password not found, skipping." -fi + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi -if [ -f /run/secrets/rabbitmq_password ]; then - export SECRETS_rabbitmq_password=$(cat /run/secrets/rabbitmq_password) -else - echo "rabbitmq_password not found, skipping." -fi + local val="$def" -if [ -f /run/secrets/smtp_password ]; then - export SECRETS_email_password=$(cat /run/secrets/smtp_password) -else - echo "smtp_password not found, skipping." -fi + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi -if [ -f /run/secrets/zulip_secret ]; then - export SECRETS_secret_key=$(cat /run/secrets/zulip_secret) -else - echo "zulip_secret not found, skipping." -fi + export "$var"="$val" + unset "$fileVar" +} + +file_env "SECRETS_postgres_password" +file_env "SECRETS_memcached_password" +file_env "SECRETS_redis_password" +file_env "SECRETS_rabbitmq_password" +file_env "SECRETS_email_password" +file_env "SECRETS_secret_key" # DB aka Database DB_HOST="${DB_HOST:-127.0.0.1}"