extending docker-secrets for all components

9f16ac3f · Mussab Abdalla · f9767994 · 9f16ac3f · 9f16ac3f · 9f16ac3f
Commit 9f16ac3f authored 4 years ago by Mussab Abdalla
--- a/README.md
+++ b/README.md
@@ -236,7 +236,7 @@ Select `@timestamp` as time field

 The `SFTP` image allow remote access into 2 logging folders, you can define (edit/add) users, passwords and (UID/GID) in the respictive configuration file ( e.g  *config/vhr_sftp_users.conf* ). 

-The default username is `eox`, once the stack is deployed you can sftp into the logging folders through port 2222 on -if you rn the dev stack- localhost :
+The default username is `eox`, once the stack is deployed you can sftp into the logging folders through port 2222 on -if you are running the dev stack- localhost :

 ```bash
 sftp -P 2222 eox@127.0.0.1

--- a/cache/entrypoint.sh
+++ b/cache/entrypoint.sh
@@ -8,5 +8,31 @@ if [[ ! -z $SERVICES ]] ; then
        wait-for-it -t $TIMEOUT $service
    done
 fi
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {

+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo "Both $var and $fileVar are set (but are exclusive)" >&2
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	cat >> /etc/bash.bashrc <<EOF
+export ${var}=${val}
+EOF
+	echo "the value of variable ${var} is set" >&2
+	unset "$fileVar"
+}
+
+file_env "OS_PASSWORD"
+file_env "OS_PASSWORD_DOWNLOAD"
 eval "$@"
--- a/core/entrypoint.sh
+++ b/core/entrypoint.sh
@@ -20,7 +20,7 @@ file_env() {
 	local fileVar="${var}_FILE"
 	local def="${2:-}"
 	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		echo "Both $var and $fileVar are set (but are exclusive)"
+		echo "Both $var and $fileVar are set (but are exclusive)" >&2
 	fi
 	local val="$def"
 	if [ "${!var:-}" ]; then
@@ -31,7 +31,7 @@ file_env() {
 	cat >> /etc/bash.bashrc <<EOF
 export ${var}=${val}
 EOF
-	echo "the value of variable ${var} is set"
+	echo "the value of variable ${var} is set" >&2
 	unset "$fileVar"
 }


--- a/docker-compose.dem.yml
+++ b/docker-compose.dem.yml
@@ -36,6 +36,8 @@ services:
      - env/dem_db.env
      - env/dem_django.env
      - env/dem_obs.env
+    secrets:
+      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_renderer"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -43,6 +45,7 @@ services:
      INIT_SCRIPTS: "/configure.sh /init-db.sh /initialized.sh"
      STARTUP_SCRIPTS: "/wait-initialized.sh"
      WAIT_SERVICES: "database:5432"
+      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
    configs:
      - source: init-db
        target: /init-db.sh
@@ -61,11 +64,16 @@ services:
      - env/dem.env
      - env/dem_db.env
      - env/dem_obs.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_cache"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "database:5432 renderer:80"
      WAIT_TIMEOUT: 300  # wait up to 5 minutes
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 1
    networks:
@@ -81,10 +89,15 @@ services:
      - env/dem.env
      - env/dem_obs.env
      - env/dem_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_seeder"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "redis:6379 database:5432"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 0
    networks:
@@ -97,12 +110,17 @@ services:
      - env/dem.env
      - env/dem_obs.env
      - env/dem_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_preprocessor"
      WAIT_SERVICES: "redis:6379"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    configs:
      - source: preprocessor-config
-        target: /config.yaml
+        target: /config.yaml      
    deploy:
      replicas: 1
    networks:
@@ -128,7 +146,6 @@ services:
    secrets:
      - OS_PASSWORD
      - OS_PASSWORD_DOWNLOAD
-      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_registrar"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -140,7 +157,6 @@ services:
      WAIT_SERVICES: "redis:6379 database:5432"
      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
-      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
      REPORTING_DIR: '/mnt/reports/'
    configs:
      - source: init-db
@@ -212,3 +228,4 @@ secrets:
    external: true
  DJANGO_PASSWORD:
    external: true
+  
\ No newline at end of file
--- a/docker-compose.emg.yml
+++ b/docker-compose.emg.yml
@@ -36,6 +36,8 @@ services:
      - env/emg_db.env
      - env/emg_django.env
      - env/emg_obs.env
+    secrets:
+      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_renderer"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -43,6 +45,7 @@ services:
      INIT_SCRIPTS: "/configure.sh /init-db.sh /initialized.sh"
      STARTUP_SCRIPTS: "/wait-initialized.sh"
      WAIT_SERVICES: "database:5432"
+      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
    configs:
      - source: init-db
        target: /init-db.sh
@@ -61,11 +64,16 @@ services:
      - env/emg.env
      - env/emg_db.env
      - env/emg_obs.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_cache"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "database:5432 renderer:80"
      WAIT_TIMEOUT: 300  # wait up to 5 minutes
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 1
    networks:
@@ -81,10 +89,15 @@ services:
      - env/emg.env
      - env/emg_obs.env
      - env/emg_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_seeder"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "redis:6379 database:5432"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 0
    networks:
@@ -107,9 +120,14 @@ services:
      - env/emg.env
      - env/emg_obs.env
      - env/emg_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_preprocessor"
      WAIT_SERVICES: "redis:6379"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    configs:
      - source: preprocessor-config
        target: /config.yaml      
@@ -138,7 +156,6 @@ services:
    secrets:
      - OS_PASSWORD
      - OS_PASSWORD_DOWNLOAD
-      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_registrar"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -150,7 +167,7 @@ services:
      WAIT_SERVICES: "redis:6379 database:5432"
      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
-      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
+      
      REPORTING_DIR: '/mnt/reports/'
    configs:
      - source: init-db

--- a/docker-compose.vhr18.yml
+++ b/docker-compose.vhr18.yml
@@ -36,6 +36,8 @@ services:
      - env/vhr18_db.env
      - env/vhr18_django.env
      - env/vhr18_obs.env
+    secrets:
+      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_renderer"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -43,6 +45,7 @@ services:
      INIT_SCRIPTS: "/configure.sh /init-db.sh /initialized.sh"
      STARTUP_SCRIPTS: "/wait-initialized.sh"
      WAIT_SERVICES: "database:5432"
+      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
    configs:
      - source: init-db
        target: /init-db.sh
@@ -61,11 +64,16 @@ services:
      - env/vhr18.env
      - env/vhr18_db.env
      - env/vhr18_obs.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_cache"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "database:5432 renderer:80"
      WAIT_TIMEOUT: 300  # wait up to 5 minutes
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 1
    logging:
@@ -84,10 +92,15 @@ services:
      - env/vhr18.env
      - env/vhr18_obs.env
      - env/vhr18_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_seeder"
      RENDERER_HOST: renderer
      WAIT_SERVICES: "redis:6379 database:5432"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    deploy:
      replicas: 0
    networks:
@@ -110,12 +123,17 @@ services:
      - env/vhr18.env
      - env/vhr18_obs.env
      - env/vhr18_redis.env
+    secrets:
+      - OS_PASSWORD
+      - OS_PASSWORD_DOWNLOAD
    environment:
      INSTANCE_ID: "prism-view-server_preprocessor"
      WAIT_SERVICES: "redis:6379"
+      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
+      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
    configs:
      - source: preprocessor-config
-        target: /config.yaml
+        target: /config.yaml      
    deploy:
      replicas: 1
    networks:
@@ -141,7 +159,6 @@ services:
    secrets:
      - OS_PASSWORD
      - OS_PASSWORD_DOWNLOAD
-      - DJANGO_PASSWORD
    environment:
      INSTANCE_ID: "prism-view-server_registrar"
      INSTALL_DIR: "/var/www/pvs/dev/"
@@ -153,7 +170,6 @@ services:
      WAIT_SERVICES: "redis:6379 database:5432"
      OS_PASSWORD_FILE: "/run/secrets/OS_PASSWORD"
      OS_PASSWORD_DOWNLOAD_FILE: "/run/secrets/OS_PASSWORD_DOWNLOAD"
-      DJANGO_PASSWORD_FILE: "/run/secrets/DJANGO_PASSWORD"
      REPORTING_DIR: '/mnt/reports/'
    configs:
      - source: init-db
@@ -184,7 +200,7 @@ services:
      replicas: 1

    ports:
-        - "2222:22"
+      - "2222:22"
  ingestor:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:latest
    deploy:
@@ -219,5 +235,3 @@ secrets:
    external: true
  DJANGO_PASSWORD:
    external: true
-
-
--- a/preprocessor/entrypoint.sh
+++ b/preprocessor/entrypoint.sh
@@ -8,5 +8,32 @@ if [[ ! -z $SERVICES ]] ; then
        wait-for-it -t $TIMEOUT $service
    done
 fi
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo "Both $var and $fileVar are set (but are exclusive)" >&2
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	cat >> /etc/bash.bashrc <<EOF
+export ${var}=${val}
+EOF
+	echo "the value of variable ${var} is set" >&2
+	unset "$fileVar"
+}
+
+file_env "OS_PASSWORD"
+file_env "OS_PASSWORD_DOWNLOAD"

 eval "$@"