Skip to content

Commit

Permalink
Support passing sensitive data as docker secrets (#6)
Browse files Browse the repository at this point in the history 
See the environment variables table to learn what settings can be
controlled with a `XXX_FILE` type of variable.
  • Loading branch information
@2franix
2franix authored Jan 12, 2024
1 parent c6f19f1 commit 4c37d6b
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 57 deletions.
5 changes: 5 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,16 @@ ENV CRON_SPEC_FILE="/crontab"
ENV CRON_ENTRYPOINT_PRE_DIR="/entrypoint.pre.d"
ENV CRON_VERBOSITY=8
ENV CRON_MAILTO=
ENV CRON_MAILTO_FILE=
ENV SMTP_HOST=
ENV SMTP_HOST_FILE=
ENV SMTP_PORT=
ENV SMTP_PORT_FILE=
ENV SMTP_TLS=on
ENV SMTP_FROM=
ENV SMTP_FROM_FILE=
ENV SMTP_USER=
ENV SMTP_USER_FILE=
ENV SMTP_PASSWORD=
ENV SMTP_PASSWORD_FILE=

Expand Down
40 changes: 23 additions & 17 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,26 @@ It is possible to configure msmtp in the container so that any output produced b

## Environment variables in the image

| Variable | Default value | Modifiable | Notes |
|---------------------------|---------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------|
| `CRON_USER` | "worker" | no | Set at build time, cannot be changed. |
| `CRON_USER_UID` | 1000 | yes | |
| `CRON_USER_GID` | 1000 | yes | |
| `CRON_USER_HOME` | `/worker` | yes | See CRON_SPEC_FILE if you change this variable. |
| `CRON_ENTRYPOINT_PRE_DIR` | `/entrypoint.pre.d` | yes | Optional folder containing scripts to execute as root before starting cron. |
| `CRON_SPEC_FILE` | `/crontab` | yes | Contains the crontab definition, as expected by cron. |
| `CRON_VERBOSITY` | 8 | yes | A value between 0 (max) and 8 (min) to control cron's verbosity. |
| `CRON_MAILTO` | "" | yes | Cron emails recipient. |
| `SMTP_HOST` | "" | yes | SMTP host server to use to send emails. Leave it empty to disable msmtp entirely. |
| `SMTP_PORT` | "" | yes | Port of the SMTP server to use to send emails. |
| `SMTP_TLS` | "on" | yes | Value of [msmtp's TLS option](https://marlam.de/msmtp/msmtp.html#index-tls). |
| `SMTP_FROM` | "" | yes | Address to appear as sender of emails sent by cron. |
| `SMTP_USER` | "" | yes | Username when authenticating against the SMTP server. |
| `SMTP_PASSWORD` | "" | yes | Password when authenticating against the SMTP server. |
| `SMTP_PASSWORD_FILE` | "" | yes | File containing the password to use when authenticating against the SMTP server. Leave it empty to use the value of `SMTP_PASSWORD` |
Instead of storing the value directly in some of the variables, it is possible to write it to a file in the container and store the path to this file in the `XXX_FILE` variable.
For example, rather than storing the SMTP password in `SMTP_PASSWORD`, one can store it in the `/etc/smtp_password` file in the container and set `SMTP_PASSWORD_FILE=/etc/smtp_password`.
This is mainly useful to leverage docker secrets to pass sensitive data.

Not all variables support this feature. Refer to the "Has _FILE variant" column in the table below.

| Variable | Default value | Modifiable | Has _FILE variant | Notes |
|---------------------------|---------------------|------------|-------------------|-----------------------------------------------------------------------------------|
| `CRON_USER` | "worker" | no | | Set at build time, cannot be changed. |
| `CRON_USER_UID` | 1000 | yes | | |
| `CRON_USER_GID` | 1000 | yes | | |
| `CRON_USER_HOME` | `/worker` | yes | | See CRON_SPEC_FILE if you change this variable. |
| `CRON_ENTRYPOINT_PRE_DIR` | `/entrypoint.pre.d` | yes | | Optional folder containing scripts to execute as root before starting cron. |
| `CRON_SPEC_FILE` | `/crontab` | yes | | Contains the crontab definition, as expected by cron. |
| `CRON_VERBOSITY` | 8 | yes | | A value between 0 (max) and 8 (min) to control cron's verbosity. |
| `CRON_MAILTO` | "" | yes | X | Cron emails recipient. |
| `SMTP_HOST` | "" | yes | X | SMTP host server to use to send emails. Leave it empty to disable msmtp entirely. |
| `SMTP_PORT` | "" | yes | X | Port of the SMTP server to use to send emails. |
| `SMTP_TLS` | "on" | yes | | Value of [msmtp's TLS option](https://marlam.de/msmtp/msmtp.html#index-tls). |
| `SMTP_FROM` | "" | yes | X | Address to appear as sender of emails sent by cron. |
| `SMTP_USER` | "" | yes | X | Username when authenticating against the SMTP server. |
| `SMTP_PASSWORD` | "" | yes | X | Password when authenticating against the SMTP server. |

99 changes: 59 additions & 40 deletions entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,28 @@ set -e -u

check_variable() {
VAR_NAME=$1
VAR_DEFAULT=
[ $# -ge 2 ] && VAR_DEFAULT="$2"
USE_FILE_VAR=$2
MANDATORY=$3
FILE_VAR_NAME="${VAR_NAME}_FILE"

if [ -z "$(printenv "$VAR_NAME")" ] ; then
if [ -z "$VAR_DEFAULT" ] ; then
echo "$VAR_NAME not set."
if [ "$USE_FILE_VAR" -eq 1 ] ; then
VAR_FILE=$(printenv "$FILE_VAR_NAME")
else
VAR_FILE=""
fi

# Read content of _FILE if set.
if [ -n "$VAR_FILE" ] ; then
if [ -n "$(printenv "$VAR_NAME")" ] ; then
echo "$VAR_NAME and $FILE_VAR_NAME are mutually exclusive."
exit 1
else
export "$VAR_NAME"="$VAR_DEFAULT"
fi
export "$VAR_NAME"="$(cat "$VAR_FILE")"
fi

if [ -z "$(printenv "$VAR_NAME")" ] && [ "$MANDATORY" -eq 1 ] ; then
echo "$VAR_NAME is not set."
exit 1
fi
}

Expand All @@ -32,39 +44,21 @@ run_script_folder() {
done
}

# Create msmtp config if enabled.
if [ -n "$SMTP_HOST" ] ; then
MSMTPRC=/etc/msmtprc
echo account relay > "$MSMTPRC"
echo tls "$SMTP_TLS" >> "$MSMTPRC"
echo host "$SMTP_HOST" >> "$MSMTPRC"
if [ -n "$SMTP_PORT" ] ; then
echo port "$SMTP_PORT" >> "$MSMTPRC"
fi
if [ -n "$SMTP_FROM" ] ; then
echo from "$SMTP_FROM" >> "$MSMTPRC"
fi
if [ -n "$SMTP_USER" ] ; then
echo auth on >> "$MSMTPRC"
echo user "$SMTP_USER" >> "$MSMTPRC"
if [ -n "$SMTP_PASSWORD_FILE" ] ; then
echo password "$(cat "$SMTP_PASSWORD_FILE")" >> "$MSMTPRC"
else
echo password "$SMTP_PASSWORD" >> "$MSMTPRC"
fi
fi
echo account default : relay >> "$MSMTPRC"
fi

# Those env vars are defined in the Dockerfile but
# let's check them one last time, in case the running environment
# messed up.
check_variable CRON_USER_UID
check_variable CRON_USER_GID
check_variable CRON_USER_HOME
check_variable CRON_SPEC_FILE
check_variable CRON_ENTRYPOINT_PRE_DIR
check_variable CRON_VERBOSITY
# Check all variables are defined and read their value from
# their corresponding *_FILE variable if set.
check_variable CRON_USER_UID 0 1
check_variable CRON_USER_GID 0 1
check_variable CRON_USER_HOME 0 1
check_variable CRON_SPEC_FILE 0 1
check_variable CRON_ENTRYPOINT_PRE_DIR 0 0
check_variable CRON_VERBOSITY 0 1
check_variable CRON_MAILTO 1 0
check_variable SMTP_HOST 1 0
check_variable SMTP_PORT 1 0
check_variable SMTP_TLS 0 0
check_variable SMTP_FROM 1 0
check_variable SMTP_USER 1 0
check_variable SMTP_PASSWORD 1 0

# Don't exceed max verbosity.
[ "$CRON_VERBOSITY" -lt 0 ] && CRON_VERBOSITY=0
Expand All @@ -76,6 +70,31 @@ if [ ! -f "$CRON_SPEC_FILE" ] ; then
exit 1
fi

# Create msmtp config if enabled.
if [ -n "$SMTP_HOST" ] ; then
echo "SMTP host set, configuring msmtp..."
{
echo account relay
echo tls "$SMTP_TLS"
echo host "$SMTP_HOST"
if [ -n "$SMTP_PORT" ] ; then
echo port "$SMTP_PORT"
fi
if [ -n "$SMTP_FROM" ] ; then
echo from "$SMTP_FROM"
fi
if [ -n "$SMTP_USER" ] ; then
echo auth on
echo user "$SMTP_USER"
echo password "$SMTP_PASSWORD"
fi
echo account default : relay
} > /etc/msmtprc
echo "Done: msmtp is configured in /etc/msmtprc"
else
echo "SMTP host not set, skipping msmtp configuration."
fi

# Move user home if it was changed since the image was built.
usermod -m -d "$CRON_USER_HOME" "$CRON_USER"

Expand Down

0 comments on commit 4c37d6b

Please sign in to comment.