From 6ca6ef69a21c60dc0d00bfc55c4a34fc6398cf1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=2C=20Ren=C3=A9=20Pardon?= <rene.pardon@boonweb.de>
Date: Mon, 19 Sep 2022 09:34:37 +0200
Subject: [PATCH] docker: Allow passing secrects using files (#810)

* feat (DOCKER) BW-0: add docker secret env parsing

* fix (DOCKER) #810: adjust image version for docker-compose.yml example

* chore (DOCKER) tus#810: remove AWS_URL env var in favor of s3-endpoint flag
---
 .gitignore                  |  1 +
 Dockerfile                  | 10 +++++++---
 docker/entrypoint.sh        |  9 +++++++++
 docker/load-env.sh          | 29 +++++++++++++++++++++++++++++
 docs/faq.md                 | 13 +++++++++++++
 examples/docker-compose.yml | 28 ++++++++++++++++++++++++++++
 6 files changed, 87 insertions(+), 3 deletions(-)
 create mode 100644 docker/entrypoint.sh
 create mode 100644 docker/load-env.sh
 create mode 100644 examples/docker-compose.yml

diff --git a/.gitignore b/.gitignore
index 73f6e93..568460a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ node_modules/
 .DS_Store
 ./tusd
 tusd_*_*
+.idea/
diff --git a/Dockerfile b/Dockerfile
index 2fef2fc..9f88579 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,16 +28,20 @@ RUN set -xe \
 FROM alpine:3.16.2
 WORKDIR /srv/tusd-data
 
-RUN apk add --no-cache ca-certificates jq \
+COPY ./docker/entrypoint.sh /usr/local/share/docker-entrypoint.sh
+COPY ./docker/load-env.sh /usr/local/share/load-env.sh
+
+RUN apk add --no-cache ca-certificates jq bash \
     && addgroup -g 1000 tusd \
     && adduser -u 1000 -G tusd -s /bin/sh -D tusd \
     && mkdir -p /srv/tusd-hooks \
-    && chown tusd:tusd /srv/tusd-data
+    && chown tusd:tusd /srv/tusd-data \
+    && chmod +x /usr/local/share/docker-entrypoint.sh /usr/local/share/load-env.sh
 
 COPY --from=builder /go/bin/tusd /usr/local/bin/tusd
 
 EXPOSE 1080
 USER tusd
 
-ENTRYPOINT ["tusd"]
+ENTRYPOINT ["/usr/local/share/docker-entrypoint.sh"]
 CMD [ "--hooks-dir", "/srv/tusd-hooks" ]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100644
index 0000000..88a70ef
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+. /usr/local/share/load-env.sh
+
+exec tusd "$@"
diff --git a/docker/load-env.sh b/docker/load-env.sh
new file mode 100644
index 0000000..ec84476
--- /dev/null
+++ b/docker/load-env.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+tusd_env_vars=(
+  AWS_ACCESS_KEY_ID
+  AWS_SECRET_ACCESS_KEY
+  AWS_REGION
+  GCS_SERVICE_ACCOUNT_FILE
+  AZURE_STORAGE_ACCOUNT
+  AZURE_STORAGE_KEY
+)
+
+for env_var in "${tusd_env_vars[@]}"; do
+    file_env_var="${env_var}_FILE"
+
+    if [[ -n "${!file_env_var:-}" ]]; then
+        if [[ -r "${!file_env_var:-}" ]]; then
+            export "${env_var}=$(< "${!file_env_var}")"
+            unset "${file_env_var}"
+        else
+            warn "Skipping export of '${env_var}'. '${!file_env_var:-}' is not readable."
+        fi
+    fi
+done
+
+unset tusd_env_vars
diff --git a/docs/faq.md b/docs/faq.md
index e02fa36..110ec8d 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -58,3 +58,16 @@ To make your setup easier, tusd already includes the necessary CORS configuratio
  * `Upload-Concat`: A tus specific header used to indicate if the containing HTTP request is the final request for uploading a file or not. See [here](https://tus.io/protocols/resumable-upload.html#upload-concat) for details.
 
 If you are looking for a way to communicate additional information from a client to a server, use the `Upload-Metadata` header.
+
+### How to use Docker Secrets for credentials (Swarm mode only)
+
+Example usage with "minio"/S3 (AWS). Create the secrets:
+
+```bash
+printf "minio" | docker secret create minio-username -
+printf "miniosecret" | docker secret create minio-password -
+```
+
+Those commands create two secrets which are used inside the example [docker-compose.yml](../examples/docker-compose.yml) file.
+The provided example assumes, that you also have a service named "minio" inside the same Docker Network.
+We just append a _FILE suffix to the corresponding environment variables. The contents of the mounted file will be added to the environment variable without _FILE suffix.
diff --git a/examples/docker-compose.yml b/examples/docker-compose.yml
new file mode 100644
index 0000000..7acb2e3
--- /dev/null
+++ b/examples/docker-compose.yml
@@ -0,0 +1,28 @@
+version: "3.9"
+services:
+    tusd:
+      image: tusproject/tusd:v1.9
+      command: -verbose -s3-bucket mybucket -s3-endpoint http://minio:9000
+      volumes:
+        - tusd:/data
+      environment:
+        - AWS_REGION=us-east-1
+        - AWS_ACCESS_KEY_ID_FILE=/run/secrets/minio-username
+        - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/minio-password
+      secrets:
+        - minio-username
+        - minio-password
+      networks:
+        - tusd
+
+volumes:
+  tusd:
+
+secrets:
+  minio-username:
+    external: true
+  minio-password:
+    external: true
+
+networks:
+  tusd: