Skip to content

Docker entrypoint, read environment variables from files.#11829

Closed
epuronta wants to merge 2 commits intokeycloak:mainfrom
epuronta:feature/docker-env-from-file
Closed

Docker entrypoint, read environment variables from files.#11829
epuronta wants to merge 2 commits intokeycloak:mainfrom
epuronta:feature/docker-env-from-file

Conversation

@epuronta
Copy link
Copy Markdown
Contributor

@epuronta epuronta commented May 4, 2022

Adds a special entrypoint script for the Docker image.

The script supports using (mounted) files for configuring sensitive variables (like passwords). It is an alternative to passing the sensitive value directly as an environment variable (KC_DB_PASSWORD=MyPassword).

Basic process:

The information is mounted as a file to the container (e.g. /tmp/kc-db-password)
File path is passed as an environment variable (KC_DB_PASSWORD_FILE=/tmp/kc-db-password)
The entrypoint detects KC_DB_PASSWORD_FILE, reads the file content and exports it as KC_DB_PASSWORD
Closes #10816.

Supersedes the previous PR #10918, which I created off main in my fork and had to close.

@bovy89
Copy link
Copy Markdown

bovy89 commented May 11, 2022

Hi,
I think that should also be extended to KEYCLOAK_ADMIN_FILE and KEYCLOAK_ADMIN_PASSWORD_FILE variables, example:

vars=($(set | grep -o -E "KC_.*_FILE|KEYCLOAK_ADMIN_FILE|KEYCLOAK_ADMIN_PASSWORD_FILE" || true))

In addition to that, I think exec /opt/keycloak/bin/kc.sh start "$@" should be exec /opt/keycloak/bin/kc.sh "$@" instead in order to not modify the default behavior (no args used)

@epuronta
Copy link
Copy Markdown
Contributor Author

epuronta commented May 12, 2022

Hi, I think that should also be extended to KEYCLOAK_ADMIN_FILE and KEYCLOAK_ADMIN_PASSWORD_FILE variables, example:

vars=($(set | grep -o -E "KC_.*_FILE|KEYCLOAK_ADMIN_FILE|KEYCLOAK_ADMIN_PASSWORD_FILE" || true))

Are those variables still supported? The config list at least does not contain them. If I've understood correctly, all configuration is meant to use the KC_ -prefix down the line.

In addition to that, I think exec /opt/keycloak/bin/kc.sh start "$@" should be exec /opt/keycloak/bin/kc.sh "$@" instead in order to not modify the default behavior (no args used)

Good point. Fixed.

@bovy89
Copy link
Copy Markdown

bovy89 commented May 12, 2022

Yes, they are supported:

@bovy89
Copy link
Copy Markdown

bovy89 commented May 12, 2022

I think you also need to exclude KC_CONFIG_FILE, for example:

vars=($(set | grep -o -E "KC_.*_FILE|KEYCLOAK_ADMIN_FILE|KEYCLOAK_ADMIN_PASSWORD_FILE" | grep -v KC_CONFIG_FILE || true))

Use case

mkdir -p secrets

cat > secrets/custom.conf <<EOF
db-username=keycloak
db-password=dadccf4d2s421zx
health-enabled=true
EOF

docker run --rm --name optimized_keycloak -p 127.0.0.1:8080:8080 -v $(pwd)/secrets:/secrets:ro \
-e KC_CONFIG_FILE=/secrets/custom.conf \
-e KC_METRICS_ENABLED=true \
prebuilt_keycloak start-dev

@andreaTP andreaTP mentioned this pull request Jun 23, 2022
Open
@andreaTP
Copy link
Copy Markdown
Contributor

andreaTP commented Jun 23, 2022

I'm sorry to close this PR, thanks again for the effort and time really appreciated ❤️
ref: #10816 (comment)

@andreaTP andreaTP closed this Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Read secrets from files

3 participants

@epuronta @bovy89 @andreaTP