add docker secrets to s6-overlay

Dockerfile

@@ -8,10 +8,10 @@ WORKDIR /app
 ARG DSMR_VERSION
 ENV DSMR_VERSION=${DSMR_VERSION:-5.0.0}
 
-RUN echo "**** Download DSMR ****" \
-  && apk add --no-cache curl \
-  && curl -SskLf "https://github.com/dsmrreader/dsmr-reader/archive/refs/tags/v${DSMR_VERSION}.tar.gz" | tar xvzf - --strip-components=1 -C /app \
-  && curl -SskLf "https://raw.githubusercontent.com/dsmrreader/dsmr-reader/v5/dsmr_datalogger/scripts/dsmr_datalogger_api_client.py" -o /app/dsmr_datalogger_api_client.py
+RUN echo "**** Download DSMR ****" &&
+  apk add --no-cache curl &&
+  curl -SskLf "https://github.com/dsmrreader/dsmr-reader/archive/refs/tags/v${DSMR_VERSION}.tar.gz" | tar xvzf - --strip-components=1 -C /app &&
+  curl -SskLf "https://raw.githubusercontent.com/dsmrreader/dsmr-reader/v5/dsmr_datalogger/scripts/dsmr_datalogger_api_client.py" -o /app/dsmr_datalogger_api_client.py
 
 #---------------------------------------------------------------------------------------------------------------------------
 # BUILD STEP
@@ -60,72 +60,72 @@ ENV DJANGO_SECRET_KEY=dsmrreader \
 # copy local files
 COPY --from=staging /app /app
 
-RUN echo "**** install runtime packages ****" \
-  && rm -rf /var/cache/apk/* \
-  && rm -rf /tmp/* \
-  && apk --update add --no-cache \
-  bash \
-  curl \
-  coreutils \
-  ca-certificates \
-  shadow \
-  dpkg \
-  jq \
-  nginx \
-  openssl \
-  netcat-openbsd \
-  postgresql16-client \
-  mariadb-connector-c-dev \
-  mariadb-client \
-  libjpeg-turbo \
-  tzdata
-
-RUN echo "**** install s6 overlay ****" \
-  && case "${TARGETARCH}/${TARGETVARIANT}" in \
-  "amd64/")  S6_ARCH=x86_64 ;; \
-  "arm64/")  S6_ARCH=aarch64 ;; \
-  "arm/v7")  S6_ARCH=arm ;; \
-  "arm/v6")  S6_ARCH=armhf ;; \
-  esac \
-  && wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-noarch.tar.xz \
-  && wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-"${S6_ARCH}".tar.xz \
-  && tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz \
-  && tar -C / -Jxpf /tmp/s6-overlay-"${S6_ARCH}".tar.xz \
-  && wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-symlinks-noarch.tar.xz \
-  && tar -C / -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz \
-  && wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-symlinks-arch.tar.xz \
-  && tar -C / -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz \
-  && rm -rf /tmp/s6-overlay-*.tar.xz
-
-RUN echo "**** install build packages ****" \
-  && apk add --no-cache --virtual .build-deps gcc python3-dev musl-dev postgresql-dev build-base mariadb-dev libffi-dev jpeg-dev cargo rust \
-  && echo "**** install pip packages ****" \
-  && python3 -m pip install "cython<3.0.0" --no-cache-dir \
-  && python3 -m pip install -r /app/dsmrreader/provisioning/requirements/base.txt --no-cache-dir \
-  && python3 -m pip install psycopg2 --no-cache-dir \
-  && python3 -m pip install mysqlclient --no-cache-dir \
-  && python3 -m pip install tzupdate --no-cache-dir \
-  && echo "**** create app user and make base folders ****" \
-  && groupmod -g 1000 users \
-  && useradd -u 803 -U -d /config -s /bin/false app \
-  && usermod -G users,dialout,audio app \
-  && mkdir -vp /app /config /defaults \
-  && echo "**** copy default settings dsmr reader ****" \
-  && cp -f /app/dsmrreader/provisioning/django/settings.py.template /app/dsmrreader/settings.py \
-  && echo "**** cleanup package leftovers ****" \
-  && apk --purge del .build-deps \
-  && apk --purge del \
-  && rm -rf /var/cache/apk/* \
-  && rm -rf /tmp/*
-
-RUN echo "**** configure nginx package ****" \
-  && mkdir -vp /run/nginx/ \
-  && mkdir -vp /etc/nginx/http.d \
-  && ln -sf /dev/stdout /var/log/nginx/access.log \
-  && ln -sf /dev/stderr /var/log/nginx/error.log \
-  && rm -f /etc/nginx/http.d/default.conf \
-  && mkdir -vp /var/www/dsmrreader/static \
-  && cp -f /app/dsmrreader/provisioning/nginx/dsmr-webinterface /etc/nginx/http.d/dsmr-webinterface.conf
+RUN echo "**** install runtime packages ****" &&
+  rm -rf /var/cache/apk/* &&
+  rm -rf /tmp/* &&
+  apk --update add --no-cache \
+    bash \
+    curl \
+    coreutils \
+    ca-certificates \
+    shadow \
+    dpkg \
+    jq \
+    nginx \
+    openssl \
+    netcat-openbsd \
+    postgresql16-client \
+    mariadb-connector-c-dev \
+    mariadb-client \
+    libjpeg-turbo \
+    tzdata
+
+RUN echo "**** install s6 overlay ****" &&
+  case "${TARGETARCH}/${TARGETVARIANT}" in
+  "amd64/") S6_ARCH=x86_64 ;;
+  "arm64/") S6_ARCH=aarch64 ;;
+  "arm/v7") S6_ARCH=arm ;;
+  "arm/v6") S6_ARCH=armhf ;;
+  esac &&
+  wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-noarch.tar.xz &&
+  wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-"${S6_ARCH}".tar.xz &&
+  tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz &&
+  tar -C / -Jxpf /tmp/s6-overlay-"${S6_ARCH}".tar.xz &&
+  wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-symlinks-noarch.tar.xz &&
+  tar -C / -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz &&
+  wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v"${S6_VERSION}"/s6-overlay-symlinks-arch.tar.xz &&
+  tar -C / -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz &&
+  rm -rf /tmp/s6-overlay-*.tar.xz
+
+RUN echo "**** install build packages ****" &&
+  apk add --no-cache --virtual .build-deps gcc python3-dev musl-dev postgresql-dev build-base mariadb-dev libffi-dev jpeg-dev cargo rust &&
+  echo "**** install pip packages ****" &&
+  python3 -m pip install "cython<3.0.0" --no-cache-dir &&
+  python3 -m pip install -r /app/dsmrreader/provisioning/requirements/base.txt --no-cache-dir &&
+  python3 -m pip install psycopg2 --no-cache-dir &&
+  python3 -m pip install mysqlclient --no-cache-dir &&
+  python3 -m pip install tzupdate --no-cache-dir &&
+  echo "**** create app user and make base folders ****" &&
+  groupmod -g 1000 users &&
+  useradd -u 803 -U -d /config -s /bin/false app &&
+  usermod -G users,dialout,audio app &&
+  mkdir -vp /app /config /defaults &&
+  echo "**** copy default settings dsmr reader ****" &&
+  cp -f /app/dsmrreader/provisioning/django/settings.py.template /app/dsmrreader/settings.py &&
+  echo "**** cleanup package leftovers ****" &&
+  apk --purge del .build-deps &&
+  apk --purge del &&
+  rm -rf /var/cache/apk/* &&
+  rm -rf /tmp/*
+
+RUN echo "**** configure nginx package ****" &&
+  mkdir -vp /run/nginx/ &&
+  mkdir -vp /etc/nginx/http.d &&
+  ln -sf /dev/stdout /var/log/nginx/access.log &&
+  ln -sf /dev/stderr /var/log/nginx/error.log &&
+  rm -f /etc/nginx/http.d/default.conf &&
+  mkdir -vp /var/www/dsmrreader/static &&
+  cp -f /app/dsmrreader/provisioning/nginx/dsmr-webinterface /etc/nginx/http.d/dsmr-webinterface.conf
 
 #---------------------------------------------------------------------------------------------------------------------------
 # FINAL STEP
@@ -141,4 +141,4 @@ HEALTHCHECK --interval=15s --timeout=3s --retries=10 CMD curl -Lsf http://127.0.
 
 WORKDIR /app
 
-ENTRYPOINT ["/docker-entrypoint.sh", "/init"]
+ENTRYPOINT ["/init"]

examples/docker-compose.example.yaml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   dsmrdb:
-    # When using Postgres, release 13.x, 14.x and 15.x are supported only
+    # When using Postgres, release 13.x, 14.x, 15.x, and 16.x are supported only
     # due to the limited availability of client packages, especially for arm32v7
     image: postgres:16-alpine
     container_name: dsmrdb

examples/docker-compose.secrets-example.yaml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   dsmrdb:
-    # When using Postgres, release 13.x, 14.x, and 15.x are supported only
+    # When using Postgres, release 13.x, 14.x, 15.x, and 16.x are supported only
     # due to the limited availability of client packages, especially for arm32v7
     image: postgres:16-alpine
     container_name: dsmrdb

rootfs/etc/s6-overlay/s6-rc.d/docker-entrypoint/docker-entrypoint.d/.env-from-docker-secrets

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+# EXPANDING VARIABLES FROM DOCKER SECRETS
+: "${ENV_SECRETS_DIR:=/run/secrets}"
+
+# Function to print debug messages for environment secrets
+env_secret_debug() {
+    if [[ -n "$ENV_SECRETS_DEBUG" ]]; then
+        printf "\033[1m%s\033[0m\n" "$@"
+    fi
+}
+
+# This function populates environment variables from variables containing file paths
+populate_file_variables() {
+    for env_var in $(env | grep '_FILE=' | cut -d '=' -f 1); do
+        var_name="${env_var%_FILE}"         # Remove the '_FILE' suffix
+        file_path=$(eval echo "\$$env_var") # Get the file path from the environment variable
+        if [[ -s "$file_path" ]]; then
+            val=$(cat "$file_path") # Read the file contents into the environment variable
+            export "$var_name"="$val"
+            env_secret_debug "Populated Docker secret variable: $var_name"
+        else
+            env_secret_debug "Docker secret file is empty or does not exist: $file_path"
+        fi
+    done
+}
+
+# This function expands variables from docker secrets
+expand_docker_secrets() {
+    # Using env to avoid issues with variable names containing special characters
+    while IFS='=' read -r env_var var_value; do
+        # Match the pattern directly with Bash regex
+        if [[ "$var_value" =~ DOCKER-SECRET-\>([^}]+)$ ]]; then
+            secret_key="${BASH_REMATCH[1]}"
+            secret="${ENV_SECRETS_DIR}/${secret_key}"
+            if [[ -f "$secret" ]]; then
+                # Read the content of the secret file safely
+                val=$(<"$secret")
+                export "$env_var"="$val" # Set the variable with the secret value
+                env_secret_debug "Expanded Docker secret variable: $env_var"
+            else
+                env_secret_debug "Docker secret file does not exist! $secret"
+            fi
+        fi
+    done < <(env) # Redirect the output of env to the while loop
+}
+
+# Populate environment variables from variables containing file paths
+# Conditionally expand variables from docker secrets
+if [[ -n "$ENV_SECRETS_DIR" ]]; then
+    populate_file_variables
+    expand_docker_secrets
+else
+    env_secret_debug "No Docker secret found in /run/secrets"
+fi
+
+# Execute the command provided as arguments to the script
+exec "$@"

rootfs/etc/s6-overlay/s6-rc.d/docker-entrypoint/run

@@ -332,6 +332,36 @@ function _generate_clientcert_auth_configuration() {
     _info "ENABLE_CLIENTCERT_AUTH is disabled, nothing to see here. Continuing..."
 }
 
+function _docker_secrets {
+    # shellcheck source=/dev/null
+    . /etc/s6-overlay/s6-rc.d/docker-entrypoint.d/.env-from-docker-secrets
+
+    if /usr/bin/find "/etc/s6-overlay/s6-rc.d/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read -r v; then
+        _info "/etc/s6-overlay/s6-rc.d/docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        _info "Looking for shell scripts in /etc/s6-overlay/s6-rc.d/docker-entrypoint.d/"
+        find "/etc/s6-overlay/s6-rc.d/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+            *.sh)
+                if [ -x "$f" ]; then
+                    _info "Launching Docker secret $f"
+                    "$f"
+                else
+                    # warn on shell scripts without exec bit
+                    _warn "Ignoring Docker secret $f, not executable"
+                fi
+                ;;
+            *) _info "Ignoring Docker secret $f" ;;
+            esac
+        done
+
+        _info "Docker secrets configuration complete; ready for start up..."
+    else
+        _info "No Docker secrets found in /etc/s6-overlay/s6-rc.d/docker-entrypoint.d/, skipping configuration..."
+    fi
+
+}
+
 function _iframe {
     if [[ "${ENABLE_IFRAME}" = true ]]; then
         _info "Enabling IFrame..."
@@ -362,4 +392,5 @@ if [[ "${DSMRREADER_OPERATION_MODE}" != api_client ]]; then
     _generate_auth_configuration
     _dsmr_datalogger_mode
     _optional_settings
+    _docker_secrets
 fi