Added the ability to use secrets for compose/swarm

2022-07-28 12:50:17 +03:00 · 2022-07-28 12:50:17 +03:00 · 48332f0ff9
parent 05c5042985
commit 48332f0ff9
2 changed files with 42 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,4 +1,4 @@
-version: '2'
+version: "3.9"
 services:
  onlyoffice-documentserver:
    build:
@ -31,6 +31,11 @@ services:
       - /var/lib/onlyoffice/documentserver/App_Data/cache/files
       - /var/www/onlyoffice/documentserver-example/public/files
       - /usr/share/fonts
+    secrets:
+      - db_username
+      - db_password
+      - jwt_secret
+      - jwt_header
       
  onlyoffice-rabbitmq:
    container_name: onlyoffice-rabbitmq
@ -46,11 +51,26 @@ services:
      - POSTGRES_DB=onlyoffice
      - POSTGRES_USER=onlyoffice
      - POSTGRES_HOST_AUTH_METHOD=trust
+      #- POSTGRES_USER_FILE=/run/secrets/db_username
+      #- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
    restart: always
    expose:
      - '5432'
    volumes:
      - postgresql_data:/var/lib/postgresql
+    secrets:
+      - db_username
+      - db_password
+
+secrets:
+   db_username:
+     file: db_username.txt
+   db_password:
+     file: db_password.txt
+   jwt_secret:
+     file: jwt_secret.txt
+   jwt_header:
+     file: jwt_header.txt

 volumes:
  postgresql_data:
--- a/run-document-server.sh
+++ b/run-document-server.sh
@ -19,6 +19,7 @@ LIB_DIR="/var/lib/${COMPANY_NAME}"
 DS_LIB_DIR="${LIB_DIR}/documentserver"
 CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
 IS_UPGRADE="false"
+SECRETS_PATH="/run/secrets/"

 ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
 ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
@ -86,6 +87,14 @@ JWT_SECRET=${JWT_SECRET:-secret}
 JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}

+if [ -s ${SECRETS_PATH}/jwt_secret.txt ]; then
+  JWT_SECRET=$( cat ${SECRETS_PATH}/jwt_secret.txt )
+fi
+
+if [ -s ${SECRETS_PATH}/jwt_header.txt ]; then
+  JWT_HEADER=$( cat ${SECRETS_PATH}/jwt_header.txt ) 
+fi
+
 WOPI_ENABLED=${WOPI_ENABLED:-false}

 GENERATE_FONTS=${GENERATE_FONTS:-true}
@ -252,6 +261,18 @@ update_db_settings(){
  ${JSON} -I -e "this.services.CoAuthoring.sql.dbName = '${DB_NAME}'"
  ${JSON} -I -e "this.services.CoAuthoring.sql.dbUser = '${DB_USER}'"
  ${JSON} -I -e "this.services.CoAuthoring.sql.dbPass = '${DB_PWD}'"
+
+  # update db credentials if secrets present
+  
+  if [ -s ${SECRETS_PATH}/db_username.txt ]; then
+    SECRET_DB_USER=$( cat ${SECRETS_PATH}/db_username.txt )
+    ${JSON} -I -e "this.services.CoAuthoring.sql.dbUser = '${SECRET_DB_USER}'"
+  fi
+
+  if [ -s ${SECRETS_PATH}/db_password.txt ]; then
+    SECRET_DB_PWD=$( cat {SECRETS_PATH}/db_password.txt )
+    ${JSON} -I -e "this.services.CoAuthoring.sql.dbPass = '${SECRET_DB_PWD}'"
+  fi
 }

 update_rabbitmq_setting(){