From 573b6440d3aab2f373f57eccc7c9fd2611c64d3d Mon Sep 17 00:00:00 2001 From: pyunramura <35285259+pyunramura@users.noreply.github.com> Date: Thu, 3 Mar 2022 07:43:14 -0600 Subject: [PATCH 1/2] Add support for consuming docker / kubernetes secrets passed as _FILE environment variables (#136) * mod: condense Dockerfile * add: _FILE feature add: list of sensitive env_vars * mod: sorted env_var list * add: complete current env_var list * fix: formatting * mod: revert Dockerfile to prev. version * mod: updated comment to be more descriptive mod: rename variables to be more descriptive * rem: list of env_var; no longer needed. mod: env_file_replace function ^ search for all _FILE variables and replace ^ if the file exists and is not empty mod: env_file_replace comment Co-authored-by: pyunramura --- entrypoint | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/entrypoint b/entrypoint index 640424c..a7d779f 100644 --- a/entrypoint +++ b/entrypoint @@ -4,6 +4,17 @@ set -e ssl_dir="/opt/ssl" php_dir="/opt/ldap_user_manager" +env_file_replace() { + for env_file in $(env|grep _FILE=); do + read -a env <<< "$(echo "$env_file" | sed 's/\(.*\)_FILE=\(.*\)/\1 \2/')" + if [ -s "${env[1]}" ]; then + echo Setting "${env[0]}" from "${env[1]}" + export "${env[0]}"="$(cat "${env[1]}")" + else echo "${env[1]} does not exist or is empty. Leaving ${env[0]} unset" + fi + done +} + if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME="ldapusermanager.org"; fi if [ ! "$SERVER_PATH" ]; then export SERVER_PATH="/"; @@ -72,7 +83,7 @@ else echo "Generating openssl configuration" - cat <$confout + cat <$confout subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1 extendedKeyUsage = serverAuth EoCertConf @@ -145,12 +156,16 @@ fi cat /etc/apache2/sites-enabled/lum.conf +######################## +#If _FILE is set, read and export env_var from the referenced file's contents +env_file_replace + ######################## #Run Apache # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" + set -- apache2-foreground "$@" fi exec "$@" From c8197ef76454dd391c622f713b7d6ca4d87cf9e1 Mon Sep 17 00:00:00 2001 From: Brian Lycett Date: Thu, 3 Mar 2022 14:32:59 +0000 Subject: [PATCH 2/2] Update the README with information on using _FILE --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 6bbe249..4f885ac 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,11 @@ Configuration is via environmental variables. Please bear the following in mind * This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN. * This interface is designed to work with a fresh LDAP server and should only be used against existing populated LDAP directories with caution and at your own risk. +#### Containers: using files/secrets to set configuration variables + +When running the user manager as a container you can append `_FILE` to any of the configuration variables and set the value to a filepath. Then when the container starts up it will set the appropriate configuration variable with the contents of the file. +For example, if you're using Docker Swarm and you've set the LDAP bind password as a Docker secret (`echo "myLDAPadminPassword" | docker secret create ldap_admin_bind_pwd -`) then you can set `LDAP_ADMIN_BIND_PWD_FILE=/run/secrets/ldap_admin_bind_pwd`. This will result in `LDAP_ADMIN_BIND_PWD` being set with the contents of `/run/secrets/ldap_admin_bind_pwd`. + ### Mandatory: