-
Notifications
You must be signed in to change notification settings - Fork 1
Sensitive Data
-
Configuration Refinement (Sensitive Data)
👉🏼 The YAML file of Docker compose automatically loads the values from the
.envfile if it is in the same directory as the.ymlfile. These values/variables can be passed to the Dockerfiles called by the YAML as arguments or as environment variables. For environment variables, all values from the.envfile can be passed at once or one by one.👉🏼 Values in the YAML file:
- Arguments (build: args:): Responsible for passing
key=valuefrom the YAML file to the Dockerfile of the specific service/container, to be used only during the Docker image build time. Example: Dockerfile.- It can be accessed by the Dockerfile via the
ARGinstruction.
- It can be accessed by the Dockerfile via the
- Environment Variables (environment): Responsible for passing
key=valuefrom the YAML file to the Dockerfile of the specific service/container, to be used as environment variables, only during container runtime, after the Docker image is created. Example: Bash Scripts, SQL Scripts…- It can be received and redeclared by the Dockerfile via the
ENVinstruction.
- It can be received and redeclared by the Dockerfile via the
- Environment Variables (env_file): Responsible for passing all
key=valuefrom the file passed as an argument from the YAML to the Dockerfile of the specific service/container, to be used as environment variables, only during container runtime, after the Docker image is created. Example: Bash Scripts, SQL Scripts…- It can be received and redeclared by the Dockerfile via the
ENVinstruction.
- It can be received and redeclared by the Dockerfile via the
-
Add the declaration to consider all content from the
.envfile as environment variables for runtime in the WordPress service/container to be used in the secondarywp_install.shfile called by the Dockerfile in the docker-compose.yml file:[...] wordpress: build: requirements/wordpress/. container_name: wordpress restart: on-failure depends_on: - mariadb networks: - inception expose: - "9000" volumes: - v_web:/var/www/html env_file: - .env [...]
-
Change the sensitive values for the WordPress installation and profile creation to be replaced with environment variables in the wp-install.sh file for WordPress, as shown below:
#!/bin/bash [...] ./wp-cli.phar config create --dbname=${DB_NAME} --dbuser=${DB_USER} --dbpass=${DB_PASSWORD} --dbhost=${DB_HOST} --allow-root ./wp-cli.phar core install --url=${WP_DOMAIN} --title=${WP_TITLE} --admin_user=${WP_ADMIN_USER} --admin_password=${WP_ADMIN_PASSWORD} --admin_email=${WP_ADMIN_EMAIL} --allow-root ./wp-cli.phar user create ${WP_GUEST_USER} ${WP_GUEST_EMAIL} --role=subscriber --user_pass=${WP_GUEST_PASSWORD} --allow-root [...]
-
Add the declaration to consider all content from the
.envfile as environment variables for runtime in the MariaDB service/container to be used in the creation of the secondaryinit.sqlfile in the docker-compose.yml file:[...] mariadb: build: requirements/mariadb/. container_name: mariadb restart: on-failure networks: - inception expose: - "3306" volumes: - v_db:/var/lib/mysql env_file: - .env [...]
-
Change the sensitive values for profile and database creation with MariaDB to be replaced with environment variables in the init.sql file for MariaDB, as shown below:
CREATE DATABASE IF NOT EXISTS ${DB_NAME}; CREATE USER IF NOT EXISTS '${DB_USER}'@'%' IDENTIFIED BY '${DB_PASSWORD}'; GRANT ALL PRIVILEGES ON *.* TO '${DB_USER}'@'%' IDENTIFIED BY '${DB_PASSWORD}' WITH GRANT OPTION; FLUSH PRIVILEGES;
-
Modify the content of the
init.sqlfile, and add this content as an echo command in the mariadb-run.sh script, so that this script can create theinit.sqlfile in the specified path, using the Docker environment variables, in the mariadb-run.sh file for MariaDB:#!/bin/bash echo "CREATE DATABASE IF NOT EXISTS $DB_NAME;" > /etc/mysql/init.sql echo "CREATE USER IF NOT EXISTS '$DB_USER'@'%' IDENTIFIED BY '$DB_PASSWORD';" >> /etc/mysql/init.sql echo "GRANT ALL PRIVILEGES ON *.* TO '$DB_USER'@'%' IDENTIFIED BY '$DB_PASSWORD' WITH GRANT OPTION;" >> /etc/mysql/init.sql echo "FLUSH PRIVILEGES;" >> /etc/mysql/init.sql sleep 5 mysql_install_db mysqld
👉🏼 At this point, the
/conf/init.sqlfile that existed earlier can be deleted. -
Remove the line that copied the init.sql file to the specified path inside the container in the Dockerfile for MariaDB, as shown below:
FROM debian:bullseye RUN apt update && apt upgrade -y && apt install -y mariadb-server COPY conf/50-server.cnf /etc/mysql/mariadb.conf.d/. #Deleted line -> COPY conf/init.sql /etc/mysql/init.sql RUN mkdir /run/mysqld COPY tools/mariadb-run.sh . RUN chmod +x ./mariadb-run.sh ENTRYPOINT ["./mariadb-run.sh"]
-
Add the declaration to consider some contents of the
.envfile as arguments for build time to be used in the creation of the secondary certificate filesssland server configurations innginx.confin the NGINX service/container, in thedocker-compose.ymlfile:[...] nginx: build: context: requirements/nginx/. args: - CRED_PATH - CRED_CERT - CRED_KEY - COUNTRY - STATE - LOCALITY - ORGANIZATION - ORG_UNIT - COMMON_NAME container_name: nginx restart: on-failure depends_on: - wordpress networks: - inception ports: - "443:443" volumes: - v_web:/var/www/html [...]
-
Add the command to receive the arguments passed by the YAML file so that they can be used internally, in the Dockerfile for NGINX, as shown below:
FROM debian:bullseye ARG CRED_PATH CRED_CERT CRED_KEY COUNTRY STATE LOCALITY ORGANIZATION ORG_UNIT COMMON_NAME RUN apt update && apt upgrade -y && apt install -y nginx openssl RUN mkdir -p ${CRED_PATH} RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${CRED_PATH}/${CRED_KEY} -out ${CRED_PATH}/${CRED_CERT} -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}" COPY conf/nginx.conf /etc/nginx/sites-available/default ENTRYPOINT ["nginx", "-g", "daemon off;"]
-
Modify the sensitive values for the SSL certificate storage directory, as well as all the data necessary for certificate creation and the final certificate files, to be replaced with environment variables in the Dockerfile for NGINX, as shown below:
FROM debian:bullseye ARG CRED_PATH CRED_CERT CRED_KEY COUNTRY STATE LOCALITY ORGANIZATION ORG_UNIT COMMON_NAME RUN apt update && apt upgrade -y && apt install -y nginx openssl RUN mkdir -p ${CRED_PATH} RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${CRED_PATH}/${CRED_KEY} -out ${CRED_PATH}/${CRED_CERT} -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}" COPY conf/nginx.conf /etc/nginx/sites-available/default ENTRYPOINT ["nginx", "-g", "daemon off;"]
-
Modify the sensitive values for the SSL certificate storage files and the server/domain name of the site to be replaced with environment variables in the nginx.conf configuration file for NGINX:
ssl_protocols TLSv1.2 TLSv1.3; ssl_certificate ${CRED_PATH}/${CRED_CERT}; #Value before: /etc/nginx/certs/nginx-selfsigned.crt; ssl_certificate_key ${CRED_PATH}/${CRED_KEY}; #Value before: /etc/nginx/certs/nginx-selfsigned.key; root /var/www/html; # Add index.php to the list if you are using PHP index index.php index.html index.htm index.nginx-debian.html; server_name ${COMMON_NAME}; #Value before: ivbatist.42.fr;
-
Change the copy command of the
conf/nginx.conffile, which previously went directly to the final configuration directory of NGINX, to copying this same file to a temporary/tmpdirectory, which will be used during the modification of masked values before copying to the final directory in the Dockerfile for NGINX, as shown below:FROM debian:bullseye ARG CRED_PATH CRED_CERT CRED_KEY COUNTRY STATE LOCALITY ORGANIZATION ORG_UNIT COMMON_NAME RUN apt update && apt upgrade -y && apt install -y nginx openssl RUN mkdir -p ${CRED_PATH} RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${CRED_PATH}/${CRED_KEY} -out ${CRED_PATH}/${CRED_CERT} -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}" COPY conf/nginx.conf ./tmp/nginx.conf #Line before -> COPY conf/nginx.conf /etc/nginx/sites-available/default ENTRYPOINT ["nginx", "-g", "daemon off;"]
-
Add the command to modify the masked data in the
nginx.conffile with the values of the variables received from the YAML file in the Dockerfile for NGINX, as shown below:FROM debian:bullseye ARG CRED_PATH CRED_CERT CRED_KEY COUNTRY STATE LOCALITY ORGANIZATION ORG_UNIT COMMON_NAME RUN apt update && apt upgrade -y && apt install -y nginx openssl RUN mkdir -p ${CRED_PATH} RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${CRED_PATH}/${CRED_KEY} -out ${CRED_PATH}/${CRED_CERT} -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}" COPY conf/nginx.conf ./tmp/nginx.conf #Line before -> COPY conf/nginx.conf /etc/nginx/sites-available/default RUN envsubst '$CRED_PATH $CRED_KEY $CRED_CERT $COMMON_NAME' < /tmp/nginx.conf > /etc/nginx/sites-available/default ENTRYPOINT ["nginx", "-g", "daemon off;"]
-
Add the command to install the program responsible for running the
envsubstcommand in the NGINX Docker container, as shown below:FROM debian:bullseye ARG CRED_PATH CRED_CERT CRED_KEY COUNTRY STATE LOCALITY ORGANIZATION ORG_UNIT COMMON_NAME RUN apt update && apt upgrade -y && apt install -y nginx openssl gettext-base RUN mkdir -p ${CRED_PATH} RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${CRED_PATH}/${CRED_KEY} -out ${CRED_PATH}/${CRED_CERT} -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}" COPY conf/nginx.conf ./tmp/nginx.conf RUN envsubst '$CRED_PATH $CRED_KEY $CRED_CERT $COMMON_NAME' < /tmp/nginx.conf > /etc/nginx/sites-available/default ENTRYPOINT ["nginx", "-g", "daemon off;"]
👉🏼 After these steps have been finalised, the only task left is to create the directories for storing the permanent volumes, a process that must be automated during Makefile execution.
👉🏼 It will also be necessary to create the
.envfile to store the environment variables, ensuring that the project can be run autonomously.
- Arguments (build: args:): Responsible for passing