From d67eb5d8404ec3236215b6e0a5750cf1aadd7c96 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sun, 2 Feb 2025 08:25:46 -0600 Subject: [PATCH 1/3] feat(dev/Dockerfile): Add ability to load secrets from files --- dev/docker-entrypoint.sh | 82 ++++++++++++++++++++++++++++++---------- 1 file changed, 63 insertions(+), 19 deletions(-) diff --git a/dev/docker-entrypoint.sh b/dev/docker-entrypoint.sh index 7239912..b8aedec 100755 --- a/dev/docker-entrypoint.sh +++ b/dev/docker-entrypoint.sh @@ -24,6 +24,41 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the erlang cookie in the .erlang.cookie file using the first argument. +function set_erlang_cookie { + erlangCookie="$1" + cookieFile='/opt/couchdb/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$erlangCookie" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$erlangCookie" > "$cookieFile" + fi + chown couchdb:couchdb "$cookieFile" + chmod 600 "$cookieFile" +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # Check that we own everything in /opt/couchdb and fix if necessary. We also # add the `-f` flag in all the following invocations because there may be @@ -56,32 +91,41 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then touch /opt/couchdb/etc/local.d/docker.ini if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_ERLANG_COOKIE" ]; then - cookieFile='/opt/couchdb/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile" - fi - chown couchdb:couchdb "$cookieFile" - chmod 600 "$cookieFile" + set_erlang_cookie "$COUCHDB_ERLANG_COOKIE" + elif [ "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + if [ -f "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + erlangCookie=$(<"$COUCHDB_ERLANG_COOKIE_FILE") + set_erlang_cookie "$erlangCookie" + else + echo "ERROR: COUCHDB_ERLANG_COOKIE_FILE does not exist." >&2 + exit 1 + fi fi chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true From f109da3bc305aaa6c6352e482dc41d3f5fd852a1 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sun, 2 Feb 2025 09:28:03 -0600 Subject: [PATCH 2/3] feat(3.4.2/docker-entrypoint.sh): Add ability to provide secrets via files --- 3.4.2/docker-entrypoint.sh | 82 +++++++++++++++++++++++++++++--------- README.md | 13 ++++++ 2 files changed, 76 insertions(+), 19 deletions(-) diff --git a/3.4.2/docker-entrypoint.sh b/3.4.2/docker-entrypoint.sh index a8544c7..c771302 100755 --- a/3.4.2/docker-entrypoint.sh +++ b/3.4.2/docker-entrypoint.sh @@ -24,6 +24,41 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the erlang cookie in the .erlang.cookie file using the first argument. +function set_erlang_cookie { + erlangCookie="$1" + cookieFile='/opt/couchdb/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$erlangCookie" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$erlangCookie" > "$cookieFile" + fi + chown couchdb:couchdb "$cookieFile" + chmod 600 "$cookieFile" +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,32 +99,41 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_ERLANG_COOKIE" ]; then - cookieFile='/opt/couchdb/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile" - fi - chown couchdb:couchdb "$cookieFile" - chmod 600 "$cookieFile" + set_erlang_cookie "$COUCHDB_ERLANG_COOKIE" + elif [ "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + if [ -f "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + erlangCookie=$(<"$COUCHDB_ERLANG_COOKIE_FILE") + set_erlang_cookie "$erlangCookie" + else + echo "ERROR: COUCHDB_ERLANG_COOKIE_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/README.md b/README.md index 7af8459..0667253 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,19 @@ You can use the two environment variables `COUCHDB_USER` and `COUCHDB_PASSWORD` $ docker run -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -d %%IMAGE%% ``` +You may also use `COUCHDB_USER_FILE` and `COUCHDB_PASSWORD_FILE`, each value holding a path to a file containing the value to use. You can see an example of how to do so with docker below. This typically would be used if you have a orchestrator with a secrets manager that projects secrets as files into the container. + +```console +$ printf "admin" > ./admin-username.secret +$ printf "password" > ./admin-password.secret +$ docker run \ + -e COUCHDB_USER_FILE=/var/run/secrets/admin-username \ + -e COUCHDB_PASSWORD_FILE=/var/run/secrets/admin-password \ + -v ./admin-username.secret:/var/run/secrets/admin-username:ro \ + -v ./admin-password.secret:/var/run/secrets/admin-password:ro \ + -d %%IMAGE%% +``` + Note that if you are setting up a clustered CouchDB, you will want to pre-hash this password and use the identical hashed text across all nodes to ensure sessions work correctly when a load balancer is placed in front of the cluster. Hashing can be accomplished by running the container with the `/opt/couchdb/etc/local.d` directory mounted as a volume, allowing CouchDB to hash the password you set, then copying out the hashed version and using this value in the future. ## Using a persistent CouchDB configuration file From 115bba595a4cc604fa466281319202573530817a Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sun, 2 Feb 2025 11:18:13 -0600 Subject: [PATCH 3/3] feat(docker-entrypoint.sh): Add ability to provide secrets from files --- 2.3.1-ubi/resources/docker-entrypoint.sh | 44 ++++++++-- 2.3.1/docker-entrypoint.sh | 44 ++++++++-- .../resources/docker-entrypoint.sh | 44 ++++++++-- 3.1.2-ubi/resources/docker-entrypoint.sh | 44 ++++++++-- 3.1.2/docker-entrypoint.sh | 44 ++++++++-- 3.2.3/docker-entrypoint.sh | 82 ++++++++++++++----- 3.3.3/docker-entrypoint.sh | 82 ++++++++++++++----- 3.4.1/docker-entrypoint.sh | 82 ++++++++++++++----- 8 files changed, 374 insertions(+), 92 deletions(-) diff --git a/2.3.1-ubi/resources/docker-entrypoint.sh b/2.3.1-ubi/resources/docker-entrypoint.sh index abb1233..a2ac0b0 100755 --- a/2.3.1-ubi/resources/docker-entrypoint.sh +++ b/2.3.1-ubi/resources/docker-entrypoint.sh @@ -24,6 +24,24 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,17 +82,29 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/2.3.1/docker-entrypoint.sh b/2.3.1/docker-entrypoint.sh index 6e0e2c1..146732b 100755 --- a/2.3.1/docker-entrypoint.sh +++ b/2.3.1/docker-entrypoint.sh @@ -24,6 +24,24 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,17 +82,29 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.1.2-ubi-clouseau/resources/docker-entrypoint.sh b/3.1.2-ubi-clouseau/resources/docker-entrypoint.sh index 094a8f9..6609a66 100755 --- a/3.1.2-ubi-clouseau/resources/docker-entrypoint.sh +++ b/3.1.2-ubi-clouseau/resources/docker-entrypoint.sh @@ -23,6 +23,24 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -93,17 +111,29 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.1.2-ubi/resources/docker-entrypoint.sh b/3.1.2-ubi/resources/docker-entrypoint.sh index 9479dc2..3c3e358 100755 --- a/3.1.2-ubi/resources/docker-entrypoint.sh +++ b/3.1.2-ubi/resources/docker-entrypoint.sh @@ -23,6 +23,24 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -63,17 +81,29 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini; then - printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.1.2/docker-entrypoint.sh b/3.1.2/docker-entrypoint.sh index acf3675..89c6e96 100755 --- a/3.1.2/docker-entrypoint.sh +++ b/3.1.2/docker-entrypoint.sh @@ -24,6 +24,24 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,17 +82,29 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[couch_httpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[couch_httpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.2.3/docker-entrypoint.sh b/3.2.3/docker-entrypoint.sh index a8544c7..c771302 100755 --- a/3.2.3/docker-entrypoint.sh +++ b/3.2.3/docker-entrypoint.sh @@ -24,6 +24,41 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the erlang cookie in the .erlang.cookie file using the first argument. +function set_erlang_cookie { + erlangCookie="$1" + cookieFile='/opt/couchdb/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$erlangCookie" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$erlangCookie" > "$cookieFile" + fi + chown couchdb:couchdb "$cookieFile" + chmod 600 "$cookieFile" +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,32 +99,41 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_ERLANG_COOKIE" ]; then - cookieFile='/opt/couchdb/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile" - fi - chown couchdb:couchdb "$cookieFile" - chmod 600 "$cookieFile" + set_erlang_cookie "$COUCHDB_ERLANG_COOKIE" + elif [ "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + if [ -f "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + erlangCookie=$(<"$COUCHDB_ERLANG_COOKIE_FILE") + set_erlang_cookie "$erlangCookie" + else + echo "ERROR: COUCHDB_ERLANG_COOKIE_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.3.3/docker-entrypoint.sh b/3.3.3/docker-entrypoint.sh index a8544c7..c771302 100755 --- a/3.3.3/docker-entrypoint.sh +++ b/3.3.3/docker-entrypoint.sh @@ -24,6 +24,41 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the erlang cookie in the .erlang.cookie file using the first argument. +function set_erlang_cookie { + erlangCookie="$1" + cookieFile='/opt/couchdb/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$erlangCookie" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$erlangCookie" > "$cookieFile" + fi + chown couchdb:couchdb "$cookieFile" + chmod 600 "$cookieFile" +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,32 +99,41 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_ERLANG_COOKIE" ]; then - cookieFile='/opt/couchdb/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile" - fi - chown couchdb:couchdb "$cookieFile" - chmod 600 "$cookieFile" + set_erlang_cookie "$COUCHDB_ERLANG_COOKIE" + elif [ "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + if [ -f "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + erlangCookie=$(<"$COUCHDB_ERLANG_COOKIE_FILE") + set_erlang_cookie "$erlangCookie" + else + echo "ERROR: COUCHDB_ERLANG_COOKIE_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then diff --git a/3.4.1/docker-entrypoint.sh b/3.4.1/docker-entrypoint.sh index a8544c7..c771302 100755 --- a/3.4.1/docker-entrypoint.sh +++ b/3.4.1/docker-entrypoint.sh @@ -24,6 +24,41 @@ if [ "$1" = 'couchdb' ]; then set -- /opt/couchdb/bin/couchdb "$@" fi +# This function will populate the admin user in the docker.ini file using the first argument, the second argument is the password. +function set_admin_credentials { + adminUser="$1" + adminPassword="$2" + # Create admin only if not already present + if ! grep -Pzoqr "\[admins\]\n$adminUser =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[admins]\n%s = %s\n" "$adminUser" "$adminPassword" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the chttpd_auth secret in the docker.ini file using the first argument. +function set_http_secret { + chttpSecret="$1" + if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then + printf "\n[chttpd_auth]\nsecret = %s\n" "$chttpSecret" >> /opt/couchdb/etc/local.d/docker.ini + fi +} + +# This function populates the erlang cookie in the .erlang.cookie file using the first argument. +function set_erlang_cookie { + erlangCookie="$1" + cookieFile='/opt/couchdb/.erlang.cookie' + if [ -e "$cookieFile" ]; then + if [ "$(cat "$cookieFile" 2>/dev/null)" != "$erlangCookie" ]; then + echo >&2 + echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" + echo >&2 + fi + else + echo "$erlangCookie" > "$cookieFile" + fi + chown couchdb:couchdb "$cookieFile" + chmod 600 "$cookieFile" +} + if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # this is where runtime configuration changes will be written. # we need to explicitly touch it here in case /opt/couchdb/etc has @@ -64,32 +99,41 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then - # Create admin only if not already present - if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_admin_credentials "$COUCHDB_USER" "$COUCHDB_PASSWORD" + elif [ "$COUCHDB_USER_FILE" ] && [ "$COUCHDB_PASSWORD_FILE" ]; then + if [ -f "$COUCHDB_USER_FILE" ] && [ -f "$COUCHDB_PASSWORD_FILE" ]; then + adminUser=$(<"$COUCHDB_USER_FILE") + adminPassword=$(<"$COUCHDB_PASSWORD_FILE") + set_admin_credentials "$adminUser" "$adminPassword" + else + echo "ERROR: COUCHDB_USER_FILE or COUCHDB_PASSWORD_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_SECRET" ]; then # Set secret only if not already present - if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then - printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini - fi + set_http_secret "$COUCHDB_SECRET" + elif [ "$COUCHDB_SECRET_FILE" ]; then + if [ -f "$COUCHDB_SECRET_FILE" ]; then + chttpSecret=$(<"$COUCHDB_SECRET_FILE") + set_http_secret "$chttpSecret" + else + echo "ERROR: COUCHDB_SECRET_FILE does not exist." >&2 + exit 1 + fi fi if [ "$COUCHDB_ERLANG_COOKIE" ]; then - cookieFile='/opt/couchdb/.erlang.cookie' - if [ -e "$cookieFile" ]; then - if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then - echo >&2 - echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE" - echo >&2 - fi - else - echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile" - fi - chown couchdb:couchdb "$cookieFile" - chmod 600 "$cookieFile" + set_erlang_cookie "$COUCHDB_ERLANG_COOKIE" + elif [ "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + if [ -f "$COUCHDB_ERLANG_COOKIE_FILE" ]; then + erlangCookie=$(<"$COUCHDB_ERLANG_COOKIE_FILE") + set_erlang_cookie "$erlangCookie" + else + echo "ERROR: COUCHDB_ERLANG_COOKIE_FILE does not exist." >&2 + exit 1 + fi fi if [ "$(id -u)" = '0' ]; then