Secrets handling via entrypoint

Secrets files handled only in the entrypoint, converted during initial execuition. Solves #1148 Signed-off-by: Matías Pecchia <179218+mabeett@users.noreply.github.com>
2025-07-22 15:18:05 +02:00 · 2024-08-18 22:21:05 +02:00 · 2024-08-18 22:21:05 +02:00 · b617bfc7a0
commit b617bfc7a0
parent f6d767efb1
35 changed files with 196 additions and 231 deletions
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -63,14 +63,16 @@ file_env() {
    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
+        echo "Warning: both $var and $fileVar are set ($fileVar takes precedence)"
    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
+    if [ -n "${fileVarValue}" ]; then
+        echo "note: taking ${fileVar} file for ${var} value"
        export "$var"="$(cat "${fileVarValue}")"
+    elif [ -n "${varValue}" ]; then
+        echo "note: using ${var} variable for ${var} value"
+        export "$var"="${varValue}"
    elif [ -n "${def}" ]; then
+        echo "note: using invoked definition for ${var} value"
        export "$var"="$def"
    fi
    unset "$fileVar"
@ -82,6 +84,21 @@ if expr "$1" : "apache" 1>/dev/null; then
    fi
 fi

+# All possible content secrets to variable
+file_env NEXTCLOUD_ADMIN_PASSWORD
+file_env NEXTCLOUD_ADMIN_USER
+file_env MYSQL_DATABASE
+file_env MYSQL_PASSWORD
+file_env MYSQL_USER
+file_env POSTGRES_DB
+file_env POSTGRES_PASSWORD
+file_env POSTGRES_USER
+file_env REDIS_HOST_PASSWORD
+file_env SMTP_PASSWORD
+file_env OBJECTSTORE_S3_KEY
+file_env OBJECTSTORE_S3_SECRET
+file_env OBJECTSTORE_S3_SSE_C_KEY
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    uid="$(id -u)"
    gid="$(id -g)"