From 36b8864ca3ce1736bc3e73919fc824581b6a976f Mon Sep 17 00:00:00 2001 From: Anes Belfodil Date: Wed, 20 Jan 2021 11:27:29 -0500 Subject: [PATCH 1/3] Add docker secret support --- README.md | 2 ++ root/entrypoint.sh | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/README.md b/README.md index a7b8a77..08fcdad 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,8 @@ Default login is `wallabag:wallabag`. - `-e POPULATE_DATABASE=...`(defaults to "True". Does the DB has to be populated or is it an existing one) - `-e SYMFONY__ENV__SERVER_NAME=...` (defaults to "Your wallabag instance". Specifies a user-friendly name for the 2FA issuer) +To set any of these environment variables from a file (for instance a Docker Secret), append `__FILE` to the name of the environment variable. + ## SQLite The easiest way to start wallabag is to use the SQLite backend. You can spin that up with diff --git a/root/entrypoint.sh b/root/entrypoint.sh index ccac86e..4815fda 100755 --- a/root/entrypoint.sh +++ b/root/entrypoint.sh @@ -1,5 +1,14 @@ #!/bin/sh +FILE_ENV_VARS="$(env | grep '__FILE=')" +for env_var in $FILE_ENV_VARS; do + var_name="$(echo $env_var | grep -o '.*__FILE=' | sed 's/__FILE=//g')" + file_path="$(echo $env_var | grep -o '__FILE=.*' | sed 's/__FILE=//g')" + file_content="$(cat $file_path)" + new_var="$(echo $var_name=$file_content)" + export $(echo $new_var | xargs) +done + provisioner () { echo "Starting provisioner..." if ! out=`ansible-playbook -i /etc/ansible/hosts /etc/ansible/entrypoint.yml -c local "$@"`;then From 1b9008040ed5ae61d0c80589514dff88452cef94 Mon Sep 17 00:00:00 2001 From: Anes Belfodil Date: Thu, 21 Jan 2021 10:37:43 -0500 Subject: [PATCH 2/3] Test docker secrets --- .github/workflows/test.yml | 1 + tests/credentials/db_password | 1 + tests/credentials/env_secret | 1 + tests/credentials/postgres_password | 1 + tests/docker-compose.postgresql-secret.yml | 31 ++++++++++++++++++++++ 5 files changed, 35 insertions(+) create mode 100644 tests/credentials/db_password create mode 100644 tests/credentials/env_secret create mode 100644 tests/credentials/postgres_password create mode 100644 tests/docker-compose.postgresql-secret.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fdb5d75..a0bfd34 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,6 +21,7 @@ jobs: - "sqlite" - "mariadb" - "postgresql" + - "postgresql-secret" steps: - name: "Checkout" diff --git a/tests/credentials/db_password b/tests/credentials/db_password new file mode 100644 index 0000000..bfe4329 --- /dev/null +++ b/tests/credentials/db_password @@ -0,0 +1 @@ +wallapass diff --git a/tests/credentials/env_secret b/tests/credentials/env_secret new file mode 100644 index 0000000..7440e0b --- /dev/null +++ b/tests/credentials/env_secret @@ -0,0 +1 @@ +F00B4R diff --git a/tests/credentials/postgres_password b/tests/credentials/postgres_password new file mode 100644 index 0000000..aa3c1b0 --- /dev/null +++ b/tests/credentials/postgres_password @@ -0,0 +1 @@ +my-secret-pw diff --git a/tests/docker-compose.postgresql-secret.yml b/tests/docker-compose.postgresql-secret.yml new file mode 100644 index 0000000..3d7daf0 --- /dev/null +++ b/tests/docker-compose.postgresql-secret.yml @@ -0,0 +1,31 @@ +version: '2' +services: + wallabag: + build: + context: ../ + image: wallabag:postgresql + container_name: wallabag + environment: + - POSTGRES_PASSWORD__FILE=/run/secrets/postgres_password + - POSTGRES_USER=my-super-user + - SYMFONY__ENV__SECRET__FILE=/run/secrets/env_secret + - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql + - SYMFONY__ENV__DATABASE_HOST=db + - SYMFONY__ENV__DATABASE_PORT=5432 + - SYMFONY__ENV__DATABASE_NAME=wallabag + - SYMFONY__ENV__DATABASE_USER=wallabag + - SYMFONY__ENV__DATABASE_PASSWORD__FILE=/run/secrets/db_password + ports: + - "127.0.0.1:80:80" + # Docker Secrets require Swarm Mode, so we use volumes instead to spoof the behaviour + volumes: + - ./credentials/db_password:/run/secrets/db_password + - ./credentials/postgres_password:/run/secrets/postgres_password + - ./credentials/env_secret:/run/secrets/env_secret + db: + image: postgres:10.3 + environment: + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + - POSTGRES_USER=my-super-user + volumes: + - ./credentials/postgres_password:/run/secrets/postgres_password From dfc3a38db12154a3eb21c73da6722b70a41f9681 Mon Sep 17 00:00:00 2001 From: Anes Belfodil Date: Thu, 21 Jan 2021 10:45:30 -0500 Subject: [PATCH 3/3] Early exit if can't read file --- root/entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/root/entrypoint.sh b/root/entrypoint.sh index 4815fda..28c6a69 100755 --- a/root/entrypoint.sh +++ b/root/entrypoint.sh @@ -5,6 +5,7 @@ for env_var in $FILE_ENV_VARS; do var_name="$(echo $env_var | grep -o '.*__FILE=' | sed 's/__FILE=//g')" file_path="$(echo $env_var | grep -o '__FILE=.*' | sed 's/__FILE=//g')" file_content="$(cat $file_path)" + [[ ! $? -eq 0 ]] && exit 1 # Exit if last command failed new_var="$(echo $var_name=$file_content)" export $(echo $new_var | xargs) done