Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for Docker secrets in Standard and alpine image. #15282

Merged
merged 1 commit into from
Aug 16, 2024

Conversation

r-xyz
Copy link
Contributor

@r-xyz r-xyz commented Aug 13, 2024

Description

#9313 #9331 added a new alpine-FPM image which also adds Docker secrets support. Docker secrets support was never backported to existing Standard and alpine Docker images.
This creates inconsistency.

Note: Additional, inconsistency in startup naming and location (/startup.sh, /entrypoint.sh, /usr/local/bin/docker-snipeit-entrypoint) between versions shall be addressed in another PR/commit. Startup script was renamed in #6606, but only for Standard image.

Fixes #10197

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • Reproduce the issue:
    • Create a test folder and create secrets file under secret folder
    • Clone this branch inside test folder
    • Create a base compose file:
services:
  snipeit:
    container_name: snipeit
    image: snipe/snipe-it:v7.0.10
#    image: snipe/snipe-it:v7.0.10-alpine
    depends_on:
      snipeit-mysql:
        condition: service_healthy
        restart: true
    #volumes:
    # Mounting the new file for standard image
    #  - "./snipe-it/docker/startup.sh:/startup.sh"
    # Mounting the new file for alpine image
    #  - "./snipe-it/docker/entrypoint_alpine.sh:/entrypoint.sh"

    environment:
      - APP_KEY_FILE=/run/secrets/SNIPEIT_APP_KEY
      - DB_HOST=snipeit-mysql
      - DB_DATABASE_FILE=/run/secrets/SNIPEIT_DB_NAME
      - DB_USERNAME_FILE=/run/secrets/SNIPEIT_DB_USER
      - DB_PASSWORD_FILE=/run/secrets/SNIPEIT_DB_PASSWORD
    secrets:
      - SNIPEIT_APP_KEY
      - SNIPEIT_DB_NAME
      - SNIPEIT_DB_USER
      - SNIPEIT_DB_PASSWORD
    dns:
      - "127.0.0.11"
      - "8.8.8.8"
  snipeit-mysql:
    container_name: snipeit-mysql
    image: mariadb:11
    environment:
      - MYSQL_DATABASE_FILE=/run/secrets/SNIPEIT_DB_NAME
      - MYSQL_USER_FILE=/run/secrets/SNIPEIT_DB_USER
      - MYSQL_PASSWORD_FILE=/run/secrets/SNIPEIT_DB_PASSWORD
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/SNIPEIT_DB_ROOT_PASSWORD
      - MARIADB_ROOT_PASSWORD_FILE=/run/secrets/SNIPEIT_DB_ROOT_PASSWORD
      - MARIADB_AUTO_UPGRADE=1
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      start_period: 10s
      interval: 10s
      timeout: 5s
      retries: 3
    secrets:
      - SNIPEIT_DB_NAME
      - SNIPEIT_DB_USER
      - SNIPEIT_DB_PASSWORD
      - SNIPEIT_DB_ROOT_PASSWORD
    restart: always
secrets:
  SNIPEIT_APP_KEY:
    file: './secrets/SNIPEIT_APP_KEY.txt'
  SNIPEIT_DB_NAME:
    file: './secrets/SNIPEIT_DB_NAME.txt'
  SNIPEIT_DB_USER:
    file: './secrets/SNIPEIT_DB_USER.txt'
  SNIPEIT_DB_PASSWORD:
    file: './secrets/SNIPEIT_DB_PASSWORD.txt'
  SNIPEIT_DB_ROOT_PASSWORD:
    file: './secrets/SNIPEIT_DB_ROOT_PASSWORD.txt'
  • docker compose up --> APP_KEY not defined

  • Repeat changing the alpine image

  • Test the new version

    • Uncomment the relevant volumes lines for each image version in compose.yaml
    • Re-run the tests, and it will work.

Test Configuration:

  • PHP version: Docker image
  • MySQL version 11
  • Webserver version Docker Image
  • OS version Docker images

Checklist:

Copy link

what-the-diff bot commented Aug 13, 2024

PR Summary

  • Docker Secrets
    This PR adds features to incorporate Docker secrets which provide a secure way to store sensitive data. This has been implemented in the scripts named 'docker/entrypoint_alpine.sh' and 'docker/startup.sh'.

  • Variable Reading Function
    A function 'file_env' has been defined which permits reading of variables directly from predefined files, facilitating easier management of multiple variables.

  • Expanded Variable Compatibility
    An improvement has been made to support reading of values from either environment variables or files for a wider array of variables which includes: APP_KEY, DB_HOST, DB_PORT, DB_DATABASE, DB_USERNAME, DB_PASSWORD, etc. which span across application keys, database details, Redis configuration, and mailing setup.

  • App Key Check
    To ensure the safe and correct functioning of the system, a check was included that verifies if the APP_KEY variable is set correctly. If it is not, an error message will be displayed to prompt the user for remedial action.

@snipe
Copy link
Owner

snipe commented Aug 14, 2024

Thanks for this!

@snipe
Copy link
Owner

snipe commented Aug 14, 2024

Can you retarget to develop though, per the dev documentation?

@r-xyz r-xyz changed the base branch from master to develop August 14, 2024 15:17
@r-xyz r-xyz requested a review from snipe as a code owner August 14, 2024 15:17
@r-xyz
Copy link
Contributor Author

r-xyz commented Aug 14, 2024

Thanks for pointing it out, I missed it. Just rebased, also took the chance to update it.

@snipe snipe merged commit 0a7aaa5 into snipe:develop Aug 16, 2024
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Standard image doesn't support secrets
2 participants