prod without passwords in ENV's

2019-09-06 11:33:53 +02:00 · 2019-09-06 11:33:53 +02:00 · c98460b3ee
commit c98460b3ee
parent 9bf6033fbd
4 changed files with 21 additions and 22 deletions
--- a/docker/prod/standalone/selfsigned/certs.Dockerfile
+++ b/docker/prod/standalone/selfsigned/certs.Dockerfile
@ -7,12 +7,13 @@ ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
 ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=localhost"
 ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=localhost"
 ENV ADDITIONAL_DNS="dns:localhost,dns:127.0.0.1,dns:seb-server"
 ENV KEYSTORE_PWD=
 VOLUME /certs
 WORKDIR /certs
-CMD openssl genrsa -out ca-key.pem 2048 \
+CMD secret=$(cat /config/secret) \
    && echo ${secret} \
    && openssl genrsa -out ca-key.pem 2048 \
    && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
    && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \
    && openssl rsa -in server-key.pem -out server-key.pem \
@ -21,10 +22,10 @@ CMD openssl genrsa -out ca-key.pem 2048 \
    && openssl rsa -in client-key.pem -out client-key.pem \
    && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
    && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
-    && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
+    && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:${secret} \
-    && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \
+    && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass ${secret} -validity 3650 \
-    && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
+    && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass ${secret} -noprompt \
-    && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
+    && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass ${secret} -noprompt \
-    && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
+    && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \
-    && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
+    && keytool -import -alias mariadb-client -file client-cert.pem -keystore seb-server-truststore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \
-    && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
+    && keytool -import -alias mariadb-server -file server-cert.pem -keystore seb-server-keystore.pkcs12 -storepass ${secret} -srcstoretype PKCS12 -noprompt \
--- a/docker/prod/standalone/selfsigned/config/.gitignore
+++ b/docker/prod/standalone/selfsigned/config/.gitignore
@ -1 +1,3 @@
 /secrets
 /secret
 /.secret
--- a/docker/prod/standalone/selfsigned/docker-compose.yml
+++ b/docker/prod/standalone/selfsigned/docker-compose.yml
@ -7,8 +7,7 @@ services:
    container_name: gencerts
    volumes:
        - ./certs:/certs
-    env_file:
+        - ./config:/config
        - ./config/secrets
  mariadb: 
    image: "mariadb/server:10.3"
@ -17,8 +16,8 @@ services:
        - ./config:/etc/mysql/conf.d
        - ./certs:/etc/mysql/certs
        - seb-server-mariadb-data:/var/lib/mysql
-    env_file:
+    environment:
-        - ./config/secrets
+        - MYSQL_ROOT_PASSWORD_FILE=/etc/mysql/conf.d/secret
    ports:
        - 3306:3306
    networks:
@ -38,8 +37,6 @@ services:
      volumes:
        - ./config:/sebserver/config
        - ./certs:/certs
      env_file:
        - ./config/secrets
      environment:
        - ADDITIONAL_DNS=dns:127.0.0.1,dns:seb-server
      ports:
--- a/docker/prod/standalone/selfsigned/sebserver.Dockerfile
+++ b/docker/prod/standalone/selfsigned/sebserver.Dockerfile
@ -21,14 +21,13 @@ FROM openjdk:11-jre-stretch
 ARG SEBSERVER_VERSION
 ENV SEBSERVER_VERSION=${SEBSERVER_VERSION}
 ENV KEYSTORE_PWD=
 ENV MYSQL_ROOT_PASSWORD=
 ENV SEBSERVER_PWD=
 WORKDIR /sebserver
 COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
-ENTRYPOINT exec java \
+CMD secret=$(cat /sebserver/config/secret) \
        && echo ${secret} \
        && exec java \
            -Xms64M \
            -Xmx1G \
 # Set this for SSL debunging
@ -42,8 +41,8 @@ ENTRYPOINT exec java \
            -jar seb-server-"${SEBSERVER_VERSION}".jar \
            --spring.profiles.active=prod \
            --spring.config.location=file:/sebserver/config/,classpath:/config/ \
-            --sebserver.certs.password="${KEYSTORE_PWD}" \ 
+            --sebserver.certs.password="${secret}" \ 
-            --sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \
+            --sebserver.mariadb.password="${secret}" \
-            --sebserver.password="${SEBSERVER_PWD}" 
+            --sebserver.password="${secret}" 
 EXPOSE 443 8080 9090