From 81f86e3510b1ce21ba1e85fca7c41855e629149d Mon Sep 17 00:00:00 2001
From: Philippe Grassia <philippe.grassia@ligo.org>
Date: Wed, 16 Oct 2019 10:12:37 -0700
Subject: [PATCH] First Commit of using docker secrets

Using docker secrets if present to populate the sensitive environment
variables whose values we do not want in clear text in the repo
amend: fixed typo
---
 docker/entrypoint | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/docker/entrypoint b/docker/entrypoint
index 9d8be7681..efbe06bac 100644
--- a/docker/entrypoint
+++ b/docker/entrypoint
@@ -1,4 +1,33 @@
 #!/bin/bash
 
+
+## PGA: 2019-10-15: use certs from secrets for Shibboleth SP
+SHIB_SP_CERT=/run/secrets/gracedb_ligo_org_saml_cert
+SHIB_SP_KEY=/run/secrets/gracedb_ligo_org_saml_privkey
+if [ -f $SHIB_SP_CERT && -f $SHIB_SP_KEY ]
+then
+	echo "Using Shibboleth Cert from docker secrets over the image one"
+	cp -f $SHIB_SP_CERT /etc/shibboleth/sp-cert.pem
+	cp -f $SHIB_SP_KEY /etc/shibboleth/sp-key.pem
+	chown _shibd:_shibd /etc/shibboleth/sp-{cert,key}.pem
+	chmod 0600 /etc/shibboleth/sp-key.pem
+fi
+
+## PGA 2019-10-16: use secrets for sensitive environment variables
+LIST="aws_ses_access_key_id
+  aws_ses_secret_access_key
+  django_db_password
+  django_secret_key
+  django_twilio_account_sid
+  django_twilio_auth_token
+  lvalert_password"
+
+for SECRET in $LIST
+do
+	VARNAME=$( tr [:lower:] [:upper:] <<<$SECRET)
+	[  -f run/secrets/$SECRET ] && export $VARNAME=\$(< /run/secrets/$SECRET)
+done
+
 export LVALERT_OVERSEER_RESOURCE=${LVALERT_USER}_overseer_$(python  -c 'import uuid; print(uuid.uuid4().hex)')
 exec "$@"
+
-- 
GitLab