diff --git a/Dockerfile.django-alpine b/Dockerfile.django-alpine index f777e41722f..10b34a77f24 100644 --- a/Dockerfile.django-alpine +++ b/Dockerfile.django-alpine @@ -75,6 +75,7 @@ COPY \ docker/entrypoint-unit-tests.sh \ docker/entrypoint-unit-tests-devDocker.sh \ docker/wait-for-it.sh \ + docker/secret-file-loader.sh \ docker/certs/* \ / COPY wsgi.py manage.py docker/unit-tests.sh ./ diff --git a/Dockerfile.django-debian b/Dockerfile.django-debian index 3a245684aa6..f58f22b5be2 100644 --- a/Dockerfile.django-debian +++ b/Dockerfile.django-debian @@ -80,6 +80,7 @@ COPY \ docker/entrypoint-unit-tests.sh \ docker/entrypoint-unit-tests-devDocker.sh \ docker/wait-for-it.sh \ + docker/secret-file-loader.sh \ docker/certs/* \ / COPY wsgi.py manage.py docker/unit-tests.sh ./ diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian index d47a4518f9f..04cb7eeaf85 100644 --- a/Dockerfile.integration-tests-debian +++ b/Dockerfile.integration-tests-debian @@ -61,6 +61,7 @@ WORKDIR /app COPY --from=openapitools /opt/openapi-generator/modules/openapi-generator-cli/target/openapi-generator-cli.jar /usr/local/bin/openapi-generator-cli.jar COPY docker/wait-for-it.sh \ + docker/secret-file-loader.sh \ docker/entrypoint-integration-tests.sh \ / diff --git a/docker/entrypoint-celery-worker.sh b/docker/entrypoint-celery-worker.sh index 20b439eb2e4..9df9b9815bc 100755 --- a/docker/entrypoint-celery-worker.sh +++ b/docker/entrypoint-celery-worker.sh @@ -3,6 +3,8 @@ umask 0002 id +. /secret-file-loader.sh + # Allow for bind-mount multiple settings.py overrides FILES=$(ls /app/docker/extra_settings/* 2>/dev/null) NUM_FILES=$(echo "$FILES" | wc -w) diff --git a/docker/entrypoint-initializer.sh b/docker/entrypoint-initializer.sh index e344fa29496..8246bb7ff18 100755 --- a/docker/entrypoint-initializer.sh +++ b/docker/entrypoint-initializer.sh @@ -1,5 +1,7 @@ #!/bin/sh +. /secret-file-loader.sh + initialize_data() { # Test types shall be initialized every time by the initializer, to make sure test types are complete diff --git a/docker/entrypoint-integration-tests.sh b/docker/entrypoint-integration-tests.sh index e76bcac998e..8f18973fa0f 100755 --- a/docker/entrypoint-integration-tests.sh +++ b/docker/entrypoint-integration-tests.sh @@ -1,5 +1,7 @@ #!/bin/bash +. /secret-file-loader.sh + echo "Testing DefectDojo Service" echo "Waiting max 60s for services to start" diff --git a/docker/entrypoint-unit-tests-devDocker.sh b/docker/entrypoint-unit-tests-devDocker.sh index 3a5b8b2004e..a922bbe8795 100755 --- a/docker/entrypoint-unit-tests-devDocker.sh +++ b/docker/entrypoint-unit-tests-devDocker.sh @@ -6,6 +6,8 @@ set -x set -e set -v +. /secret-file-loader.sh + cd /app # Unset the database URL so that we can force the DD_TEST_DATABASE_NAME (see django "DATABASES" configuration in settings.dist.py) unset DD_DATABASE_URL diff --git a/docker/entrypoint-unit-tests.sh b/docker/entrypoint-unit-tests.sh index 63008afcbb7..29a9bcfc960 100755 --- a/docker/entrypoint-unit-tests.sh +++ b/docker/entrypoint-unit-tests.sh @@ -6,6 +6,8 @@ # set -e # set -v +. /secret-file-loader.sh + cd /app # Unset the database URL so that we can force the DD_TEST_DATABASE_NAME (see django "DATABASES" configuration in settings.dist.py) unset DD_DATABASE_URL diff --git a/docker/entrypoint-uwsgi-dev.sh b/docker/entrypoint-uwsgi-dev.sh index 587452cd0f6..b8dd40cb1c4 100755 --- a/docker/entrypoint-uwsgi-dev.sh +++ b/docker/entrypoint-uwsgi-dev.sh @@ -1,5 +1,7 @@ #!/bin/sh +. /secret-file-loader.sh + cd /app diff --git a/docker/entrypoint-uwsgi.sh b/docker/entrypoint-uwsgi.sh index 7caaa912aa2..0645760bcf5 100755 --- a/docker/entrypoint-uwsgi.sh +++ b/docker/entrypoint-uwsgi.sh @@ -1,5 +1,7 @@ #!/bin/sh +. /secret-file-loader.sh + # Allow for bind-mount multiple settings.py overrides FILES=$(ls /app/docker/extra_settings/* 2>/dev/null) NUM_FILES=$(echo "$FILES" | wc -w) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index acd1ff490ff..3f549abe3e9 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,7 @@ #!/bin/sh +. /secret-file-loader.sh + # Waits for the database to come up. ./docker/wait-for-it.sh $DD_DATABASE_HOST:$DD_DATABASE_PORT diff --git a/docker/secret-file-loader.sh b/docker/secret-file-loader.sh new file mode 100644 index 00000000000..157b6512a40 --- /dev/null +++ b/docker/secret-file-loader.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# Convert all environment variables with names ending in _FILE into the content of +# the file that they point at and use the name without the trailing _FILE. +# This can be used to carry in Docker secrets. +# Inspired by https://github.com/grafana/grafana-docker/pull/166 +# But rewrote for /bin/sh +for VAR_NAME in $(env | grep '^DD_[^=]\+_FILE=.\+' | sed -r "s/([^=]*)_FILE=.*/\1/g"); do + VAR_NAME_FILE="$VAR_NAME"_FILE + if [ -n "$(eval echo "\$$VAR_NAME")" ]; then + echo >&2 "WARNING: Both $VAR_NAME and $VAR_NAME_FILE are set. Content of $VAR_NAME will be overridden." + fi + echo "Getting secret $VAR_NAME from $(eval echo "\$$VAR_NAME_FILE")" + export "$VAR_NAME"="$(cat "$(eval echo "\$$VAR_NAME_FILE")")" + unset "$VAR_NAME_FILE" +done \ No newline at end of file diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ec105309fbb..5c275d2eb85 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -16,7 +16,7 @@ root = environ.Path(__file__) - 3 # Three folders back # reference: https://pypi.org/project/django-environ/ -env = environ.Env( +env = environ.FileAwareEnv( # Set casting and default values DD_SITE_URL=(str, 'http://localhost:8080'), DD_DEBUG=(bool, False),