docker: Allow passing secrects using files (#810)

* feat (DOCKER) BW-0: add docker secret env parsing

* fix (DOCKER) #810: adjust image version for docker-compose.yml example

* chore (DOCKER) tus#810: remove AWS_URL env var in favor of s3-endpoint flag
This commit is contained in:
Christoph, René Pardon 2022-09-19 09:34:37 +02:00 committed by GitHub
parent 0ded7b624d
commit 6ca6ef69a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 87 additions and 3 deletions

1
.gitignore vendored
View File

@ -5,3 +5,4 @@ node_modules/
.DS_Store .DS_Store
./tusd ./tusd
tusd_*_* tusd_*_*
.idea/

View File

@ -28,16 +28,20 @@ RUN set -xe \
FROM alpine:3.16.2 FROM alpine:3.16.2
WORKDIR /srv/tusd-data WORKDIR /srv/tusd-data
RUN apk add --no-cache ca-certificates jq \ COPY ./docker/entrypoint.sh /usr/local/share/docker-entrypoint.sh
COPY ./docker/load-env.sh /usr/local/share/load-env.sh
RUN apk add --no-cache ca-certificates jq bash \
&& addgroup -g 1000 tusd \ && addgroup -g 1000 tusd \
&& adduser -u 1000 -G tusd -s /bin/sh -D tusd \ && adduser -u 1000 -G tusd -s /bin/sh -D tusd \
&& mkdir -p /srv/tusd-hooks \ && mkdir -p /srv/tusd-hooks \
&& chown tusd:tusd /srv/tusd-data && chown tusd:tusd /srv/tusd-data \
&& chmod +x /usr/local/share/docker-entrypoint.sh /usr/local/share/load-env.sh
COPY --from=builder /go/bin/tusd /usr/local/bin/tusd COPY --from=builder /go/bin/tusd /usr/local/bin/tusd
EXPOSE 1080 EXPOSE 1080
USER tusd USER tusd
ENTRYPOINT ["tusd"] ENTRYPOINT ["/usr/local/share/docker-entrypoint.sh"]
CMD [ "--hooks-dir", "/srv/tusd-hooks" ] CMD [ "--hooks-dir", "/srv/tusd-hooks" ]

9
docker/entrypoint.sh Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
. /usr/local/share/load-env.sh
exec tusd "$@"

29
docker/load-env.sh Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
tusd_env_vars=(
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_REGION
GCS_SERVICE_ACCOUNT_FILE
AZURE_STORAGE_ACCOUNT
AZURE_STORAGE_KEY
)
for env_var in "${tusd_env_vars[@]}"; do
file_env_var="${env_var}_FILE"
if [[ -n "${!file_env_var:-}" ]]; then
if [[ -r "${!file_env_var:-}" ]]; then
export "${env_var}=$(< "${!file_env_var}")"
unset "${file_env_var}"
else
warn "Skipping export of '${env_var}'. '${!file_env_var:-}' is not readable."
fi
fi
done
unset tusd_env_vars

View File

@ -58,3 +58,16 @@ To make your setup easier, tusd already includes the necessary CORS configuratio
* `Upload-Concat`: A tus specific header used to indicate if the containing HTTP request is the final request for uploading a file or not. See [here](https://tus.io/protocols/resumable-upload.html#upload-concat) for details. * `Upload-Concat`: A tus specific header used to indicate if the containing HTTP request is the final request for uploading a file or not. See [here](https://tus.io/protocols/resumable-upload.html#upload-concat) for details.
If you are looking for a way to communicate additional information from a client to a server, use the `Upload-Metadata` header. If you are looking for a way to communicate additional information from a client to a server, use the `Upload-Metadata` header.
### How to use Docker Secrets for credentials (Swarm mode only)
Example usage with "minio"/S3 (AWS). Create the secrets:
```bash
printf "minio" | docker secret create minio-username -
printf "miniosecret" | docker secret create minio-password -
```
Those commands create two secrets which are used inside the example [docker-compose.yml](../examples/docker-compose.yml) file.
The provided example assumes, that you also have a service named "minio" inside the same Docker Network.
We just append a _FILE suffix to the corresponding environment variables. The contents of the mounted file will be added to the environment variable without _FILE suffix.

View File

@ -0,0 +1,28 @@
version: "3.9"
services:
tusd:
image: tusproject/tusd:v1.9
command: -verbose -s3-bucket mybucket -s3-endpoint http://minio:9000
volumes:
- tusd:/data
environment:
- AWS_REGION=us-east-1
- AWS_ACCESS_KEY_ID_FILE=/run/secrets/minio-username
- AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/minio-password
secrets:
- minio-username
- minio-password
networks:
- tusd
volumes:
tusd:
secrets:
minio-username:
external: true
minio-password:
external: true
networks:
tusd: