prod without passwords in ENV's

docker/prod/standalone/selfsigned/certs.Dockerfile

@@ -7,12 +7,13 @@ ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
 ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=localhost"
 ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=localhost"
 ENV ADDITIONAL_DNS="dns:localhost,dns:127.0.0.1,dns:seb-server"
-ENV KEYSTORE_PWD=
 
 VOLUME /certs
 WORKDIR /certs
 
-CMD openssl genrsa -out ca-key.pem 2048 \
+CMD secret=$(cat /config/secret) \
+    && echo ${secret} \
+    && openssl genrsa -out ca-key.pem 2048 \
     && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
     && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \
     && openssl rsa -in server-key.pem -out server-key.pem \
@@ -21,10 +22,10 @@ CMD openssl genrsa -out ca-key.pem 2048 \
     && openssl rsa -in client-key.pem -out client-key.pem \
     && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
     && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
-    && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
-    && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \
-    && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
-    && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
-    && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
-    && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
-    && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
+    && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:${secret} \
+    && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass ${secret} -validity 3650 \
+    && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass ${secret} -noprompt \
+    && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass ${secret} -noprompt \
+    && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \
+    && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \
+    && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \

docker/prod/standalone/selfsigned/config/.gitignore

@@ -1 +1,3 @@
 /secrets
+/secret
+/.secret

docker/prod/standalone/selfsigned/docker-compose.yml

@@ -7,8 +7,7 @@ services:
     container_name: gencerts
     volumes:
         - ./certs:/certs
-    env_file:
-        - ./config/secrets
+        - ./config:/config
   
   mariadb: 
     image: "mariadb/server:10.3"
@@ -17,8 +16,8 @@ services:
         - ./config:/etc/mysql/conf.d
         - ./certs:/etc/mysql/certs
         - seb-server-mariadb-data:/var/lib/mysql
-    env_file:
-        - ./config/secrets
+    environment:
+        - MYSQL_ROOT_PASSWORD_FILE=/etc/mysql/conf.d/secret
     ports:
         - 3306:3306
     networks:
@@ -38,8 +37,6 @@ services:
       volumes:
         - ./config:/sebserver/config
         - ./certs:/certs
-      env_file:
-        - ./config/secrets
       environment:
         - ADDITIONAL_DNS=dns:127.0.0.1,dns:seb-server
       ports:

docker/prod/standalone/selfsigned/sebserver.Dockerfile

@@ -21,14 +21,13 @@ FROM openjdk:11-jre-stretch
 
 ARG SEBSERVER_VERSION
 ENV SEBSERVER_VERSION=${SEBSERVER_VERSION}
-ENV KEYSTORE_PWD=
-ENV MYSQL_ROOT_PASSWORD=
-ENV SEBSERVER_PWD=
 
 WORKDIR /sebserver
 COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
 
-ENTRYPOINT exec java \
+CMD secret=$(cat /sebserver/config/secret) \
+        && echo ${secret} \
+        && exec java \
             -Xms64M \
             -Xmx1G \
 # Set this for SSL debunging
@@ -42,8 +41,8 @@ ENTRYPOINT exec java \
             -jar seb-server-"${SEBSERVER_VERSION}".jar \
             --spring.profiles.active=prod \
             --spring.config.location=file:/sebserver/config/,classpath:/config/ \
-            --sebserver.certs.password="${KEYSTORE_PWD}" \ 
-            --sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \
-            --sebserver.password="${SEBSERVER_PWD}" 
+            --sebserver.certs.password="${secret}" \ 
+            --sebserver.mariadb.password="${secret}" \
+            --sebserver.password="${secret}" 
 
 EXPOSE 443 8080 9090