From 8cc5b67262af2b0383f95756edb8b1d67840a8e4 Mon Sep 17 00:00:00 2001 From: vaerh <64400271+vaerh@users.noreply.github.com> Date: Fri, 14 Oct 2022 14:46:50 +0300 Subject: [PATCH] Update semaphore-wrapper Using docker secrets to pass sensitive information via "_FILE" variables. --- deployment/docker/common/semaphore-wrapper | 32 ++++++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/deployment/docker/common/semaphore-wrapper b/deployment/docker/common/semaphore-wrapper index 113d880a..016b43a9 100755 --- a/deployment/docker/common/semaphore-wrapper +++ b/deployment/docker/common/semaphore-wrapper @@ -4,6 +4,26 @@ set -e echoerr() { printf "%s\n" "$*" >&2; } +file_env() { + local var="" + local fileVar="" + eval var="\$${1}" + eval fileVar="\$${1}_FILE" + local def="${2:-}" + if [ -n "${var:-}" ] && [ -n "${fileVar:-}" ]; then + echo >&2 "error: both ${1} and ${1}_FILE are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ -n "${var:-}" ]; then + val="${var}" + elif [ -n "${fileVar:-}" ]; then + val="$(cat "${fileVar}")" + fi + export "${1}"="$val" + unset "${1}_FILE" +} + SEMAPHORE_CONFIG_PATH="${SEMAPHORE_CONFIG_PATH:-/etc/semaphore}" SEMAPHORE_TMP_PATH="${SEMAPHORE_TMP_PATH:-/tmp/semaphore}" @@ -13,22 +33,22 @@ SEMAPHORE_DB_HOST="${SEMAPHORE_DB_HOST:-0.0.0.0}" SEMAPHORE_DB_PATH="${SEMAPHORE_DB_PATH:-/var/lib/semaphore}" SEMAPHORE_DB_PORT="${SEMAPHORE_DB_PORT:-}" SEMAPHORE_DB="${SEMAPHORE_DB:-semaphore}" -SEMAPHORE_DB_USER="${SEMAPHORE_DB_USER:-semaphore}" -SEMAPHORE_DB_PASS="${SEMAPHORE_DB_PASS:-semaphore}" +file_env 'SEMAPHORE_DB_USER' 'semaphore' +file_env 'SEMAPHORE_DB_PASS' 'semaphore' # Email alert env config SEMAPHORE_WEB_ROOT="${SEMAPHORE_WEB_ROOT:-}" # Semaphore Admin env config -SEMAPHORE_ADMIN="${SEMAPHORE_ADMIN:-admin}" +file_env 'SEMAPHORE_ADMIN' 'admin' SEMAPHORE_ADMIN_EMAIL="${SEMAPHORE_ADMIN_EMAIL:-admin@localhost}" SEMAPHORE_ADMIN_NAME="${SEMAPHORE_ADMIN_NAME:-Semaphore Admin}" -SEMAPHORE_ADMIN_PASSWORD="${SEMAPHORE_ADMIN_PASSWORD:-semaphorepassword}" +file_env 'SEMAPHORE_ADMIN_PASSWORD' 'semaphorepassword' #Semaphore LDAP env config SEMAPHORE_LDAP_ACTIVATED="${SEMAPHORE_LDAP_ACTIVATED:-no}" SEMAPHORE_LDAP_HOST="${SEMAPHORE_LDAP_HOST:-}" SEMAPHORE_LDAP_PORT="${SEMAPHORE_LDAP_PORT:-}" SEMAPHORE_LDAP_NEEDTLS="${SEMAPHORE_LDAP_NEEDTLS:-no}" SEMAPHORE_LDAP_DN_BIND="${SEMAPHORE_LDAP_DN_BIND:-}" -SEMAPHORE_LDAP_PASSWORD="${SEMAPHORE_LDAP_PASSWORD:-}" +file_env 'SEMAPHORE_LDAP_PASSWORD' SEMAPHORE_LDAP_DN_SEARCH="${SEMAPHORE_LDAP_DN_SEARCH:-}" SEMAPHORE_LDAP_SEARCH_FILTER="${SEMAPHORE_LDAP_SEARCH_FILTER:-(uid=%s)}" SEMAPHORE_LDAP_MAPPING_DN="${SEMAPHORE_LDAP_MAPPING_DN:-dn}" @@ -36,7 +56,7 @@ SEMAPHORE_LDAP_MAPPING_USERNAME="${SEMAPHORE_LDAP_MAPPING_USERNAME:-uid}" SEMAPHORE_LDAP_MAPPING_FULLNAME="${SEMAPHORE_LDAP_MAPPING_FULLNAME:-cn}" SEMAPHORE_LDAP_MAPPING_EMAIL="${SEMAPHORE_LDAP_MAPPING_EMAIL:-mail}" -export SEMAPHORE_ACCESS_KEY_ENCRYPTION="${SEMAPHORE_ACCESS_KEY_ENCRYPTION:-cFcXI5qHzCDqtS4xCnblOACuNu5AmKHkvxK7abwR8Eg=}" +file_env 'SEMAPHORE_ACCESS_KEY_ENCRYPTION' 'cFcXI5qHzCDqtS4xCnblOACuNu5AmKHkvxK7abwR8Eg=' [ -d "${SEMAPHORE_TMP_PATH}" ] || mkdir -p "${SEMAPHORE_TMP_PATH}" || { echo "Can't create Semaphore tmp path ${SEMAPHORE_TMP_PATH}."