I had no idea if and how the included test script should be run automatically. Might be appropriate.

Agreed @stianst, it would be better to have this directly where Quarkus loads the configuration instead of a wrapper script. I don't have the expertise to create a PR though, so someone else would need to step in for that.

Also, sorry for the late response - I totally missed the reply notification here.

Adds a special entrypoint script for the Docker image.

The script supports using (mounted) files for configuring sensitive variables (like passwords). It is an alternative to passing the sensitive value directly as an environment variable (KC_DB_PASSWORD=MyPassword).

Basic process:

• The information is mounted as a file to the container (e.g. /tmp/kc-db-password)
• File path is passed as an environment variable (KC_DB_PASSWORD_FILE=/tmp/kc-db-password)
• The entrypoint detects KC_DB_PASSWORD_FILE, reads the file content and exports it as KC_DB_PASSWORD

Closes #10816.

Sorry if I'm missing something, but if you do an export foo=content_from_secret_file you will end up with secrets in the environment variables, which has associated security risks.

@artpdr as far as I understand, the primary security risk with having secrets in environment variables is related to how Docker displays the environment variables supplied to the container with docker inspect as this exposes the secrets to anyone with access to the docker socket.

The approach in this issue, however, exports the variables inside the container, so they are not exposed to docker (or at least not shown with docker inspect, I don't know how exactly it works internally).

For a simple example, fire up a container with one supplied secret and export another one from the inside

> docker run -it --rm  -e SECRET1=secret1 --name secret-test alpine
/ # export SECRET2=secret2
/ # printenv
HOSTNAME=941be17a9ac1
SECRET1=secret1
SECRET2=secret2

Inspecting the container only exposes the first secret

docker inspect secret-test -f "{{ .Config.Env }}"
[SECRET1=secret1]