add an entrypoint script that allows setting secrets from a file; version the upstream containers

2023-04-12 14:25:13 +00:00 · 2021-11-24 22:43:49 -08:00 · 2021-11-24 22:43:49 -08:00 · 844794dbac
commit 844794dbac
parent df889ee2fe
3 changed files with 27 additions and 3 deletions
--- a/10
+++ b/10
@ -1,5 +1,5 @@
 # Build image
-FROM rust:alpine AS chef
+FROM rust:alpine3.14 AS chef

 RUN set -x \
    # Add user
@ -40,7 +40,7 @@ RUN cargo build --release -p lldap \
    && ./app/build.sh

 # Final image
-FROM alpine
+FROM alpine:3.14

 RUN set -x \
    # Add user
@ -54,16 +54,20 @@ RUN set -x \
    # Create the /data folder
    && mkdir /data && chown app:app /data

+RUN apk add --no-cache bash
+
 USER app
 WORKDIR /app

 COPY --chown=app:app --from=builder /app/app/index.html /app/app/main.js app/
 COPY --chown=app:app --from=builder /app/app/pkg app/pkg
 COPY --chown=app:app --from=builder /app/target/release/lldap lldap
+COPY docker-entrypoint.sh .

 ENV LDAP_PORT=3890
 ENV HTTP_PORT=17170

 EXPOSE ${LDAP_PORT} ${HTTP_PORT}

-CMD ["/app/lldap", "run", "--config-file", "/data/lldap_config.toml"]
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["run", "--config-file", "/data/lldap_config.toml"]
--- a/README.md
+++ b/README.md
@ -71,6 +71,8 @@ Configure the server by copying the `lldap_config.docker_template.toml` to
 Environment variables should be prefixed with `LLDAP_` to override the
 configuration.

+Secrets can also be set through a file. The filename should be specified by the variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_USER_PASS_FILE`, and the file contents are loaded into the respective configuration parameters. Note that `_FILE` variables take precedence.
+
 Example for docker compose:

 ```yaml
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+for SECRET in LLDAP_JWT_SECRET LLDAP_LDAP_USER_PASS; do
+    FILE_VAR="${SECRET}_FILE"
+    SECRET_FILE="${!FILE_VAR:-}"
+    if [[ -n "$SECRET_FILE" ]]; then
+        if [[ -f "$SECRET_FILE" ]]; then
+            declare "$SECRET=$(cat $SECRET_FILE)"
+            export "$SECRET"
+            echo "[entrypoint] Set $SECRET from $SECRET_FILE"
+        else
+            echo "[entrypoint] Could not read contents of $SECRET_FILE (specified in $FILE_VAR)" >&2
+        fi
+    fi
+done
+
+exec /app/lldap "$@"