mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-06-22 08:38:13 +02:00
Harden Docker service credential setup
This commit is contained in:
Abhishek Kumar
parent
17054e3f26
commit
678d4bfb1e
9 changed files with 255 additions and 9 deletions
|
|
@ -11,6 +11,10 @@ function New-HexSecret {
|
|||
return -join ($bytes | ForEach-Object { $_.ToString('x2') })
|
||||
}
|
||||
|
||||
function New-MinioRootUser {
|
||||
return "dograh$((New-HexSecret).Substring(0, 12))"
|
||||
}
|
||||
|
||||
function Get-DotEnvValue {
|
||||
param(
|
||||
[string]$Path,
|
||||
|
|
@ -60,6 +64,84 @@ function Set-DotEnvValue {
|
|||
[System.IO.File]::WriteAllLines((Join-Path (Get-Location) $Path), $lines, $Utf8NoBom)
|
||||
}
|
||||
|
||||
function Get-PostgresVolumeName {
|
||||
try {
|
||||
$configJson = docker compose config --format json 2>$null
|
||||
if ($LASTEXITCODE -eq 0 -and -not [string]::IsNullOrEmpty($configJson)) {
|
||||
$config = $configJson | ConvertFrom-Json
|
||||
$volumeName = $config.volumes.postgres_data.name
|
||||
if (-not [string]::IsNullOrEmpty($volumeName)) {
|
||||
return $volumeName
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
# Fall back to Compose's default project-name convention below.
|
||||
}
|
||||
|
||||
$projectName = if ([string]::IsNullOrEmpty($env:COMPOSE_PROJECT_NAME)) {
|
||||
(Split-Path -Leaf (Get-Location).Path).ToLowerInvariant() -replace '[^a-z0-9_-]', ''
|
||||
} else {
|
||||
$env:COMPOSE_PROJECT_NAME.ToLowerInvariant() -replace '[^a-z0-9_-]', ''
|
||||
}
|
||||
|
||||
return "${projectName}_postgres_data"
|
||||
}
|
||||
|
||||
function Test-DockerVolumeExists {
|
||||
param([string]$Name)
|
||||
|
||||
docker volume inspect $Name *> $null
|
||||
return $LASTEXITCODE -eq 0
|
||||
}
|
||||
|
||||
function Wait-PostgresReady {
|
||||
for ($attempt = 0; $attempt -lt 20; $attempt++) {
|
||||
docker compose exec -T postgres pg_isready -U postgres *> $null
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
return
|
||||
}
|
||||
Start-Sleep -Seconds 1
|
||||
}
|
||||
|
||||
Write-Error 'Postgres did not become ready while syncing POSTGRES_PASSWORD.'
|
||||
exit 1
|
||||
}
|
||||
|
||||
function Sync-PostgresPassword {
|
||||
param([string]$Password)
|
||||
|
||||
if ([string]::IsNullOrEmpty($Password)) {
|
||||
return
|
||||
}
|
||||
|
||||
$volumeName = Get-PostgresVolumeName
|
||||
if ([string]::IsNullOrEmpty($volumeName) -or -not (Test-DockerVolumeExists $volumeName)) {
|
||||
return
|
||||
}
|
||||
|
||||
Write-Host "Existing Postgres volume detected; syncing postgres password from $EnvFile."
|
||||
$env:REGISTRY = $Registry
|
||||
$env:ENABLE_TELEMETRY = $EnableTelemetry
|
||||
docker compose up -d postgres
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
exit $LASTEXITCODE
|
||||
}
|
||||
|
||||
Wait-PostgresReady
|
||||
|
||||
"ALTER USER postgres WITH PASSWORD :'dograh_password';" | docker compose exec -T postgres psql `
|
||||
-U postgres `
|
||||
-d postgres `
|
||||
-v 'ON_ERROR_STOP=1' `
|
||||
-v "dograh_password=$Password" > $null
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
Write-Error 'Failed to sync POSTGRES_PASSWORD with the existing Postgres volume.'
|
||||
exit $LASTEXITCODE
|
||||
}
|
||||
|
||||
Write-Host 'Postgres password synced.'
|
||||
}
|
||||
|
||||
if (-not (Test-Path 'docker-compose.yaml')) {
|
||||
Write-Error 'docker-compose.yaml not found. Download it first, then re-run this script.'
|
||||
exit 1
|
||||
|
|
@ -95,6 +177,34 @@ if ([string]::IsNullOrEmpty($existingRedisPassword)) {
|
|||
Write-Host "REDIS_PASSWORD is already set in $EnvFile."
|
||||
}
|
||||
|
||||
$existingMinioRootUser = Get-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_USER'
|
||||
if ([string]::IsNullOrEmpty($existingMinioRootUser)) {
|
||||
$existingMinioAccessKey = Get-DotEnvValue -Path $EnvFile -Key 'MINIO_ACCESS_KEY'
|
||||
if ([string]::IsNullOrEmpty($existingMinioAccessKey)) {
|
||||
Set-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_USER' -Value (New-MinioRootUser)
|
||||
Write-Host "Created MINIO_ROOT_USER in $EnvFile."
|
||||
} else {
|
||||
Set-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_USER' -Value $existingMinioAccessKey
|
||||
Write-Host "Created MINIO_ROOT_USER in $EnvFile from existing MINIO_ACCESS_KEY."
|
||||
}
|
||||
} else {
|
||||
Write-Host "MINIO_ROOT_USER is already set in $EnvFile."
|
||||
}
|
||||
|
||||
$existingMinioRootPassword = Get-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_PASSWORD'
|
||||
if ([string]::IsNullOrEmpty($existingMinioRootPassword)) {
|
||||
$existingMinioSecretKey = Get-DotEnvValue -Path $EnvFile -Key 'MINIO_SECRET_KEY'
|
||||
if ([string]::IsNullOrEmpty($existingMinioSecretKey)) {
|
||||
Set-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_PASSWORD' -Value (New-HexSecret)
|
||||
Write-Host "Created MINIO_ROOT_PASSWORD in $EnvFile."
|
||||
} else {
|
||||
Set-DotEnvValue -Path $EnvFile -Key 'MINIO_ROOT_PASSWORD' -Value $existingMinioSecretKey
|
||||
Write-Host "Created MINIO_ROOT_PASSWORD in $EnvFile from existing MINIO_SECRET_KEY."
|
||||
}
|
||||
} else {
|
||||
Write-Host "MINIO_ROOT_PASSWORD is already set in $EnvFile."
|
||||
}
|
||||
|
||||
Write-Host ''
|
||||
Write-Host "Docker registry: $Registry"
|
||||
Write-Host "Telemetry enabled: $EnableTelemetry"
|
||||
|
|
@ -111,6 +221,7 @@ if ($answer -match '^[Nn]') {
|
|||
|
||||
$env:REGISTRY = $Registry
|
||||
$env:ENABLE_TELEMETRY = $EnableTelemetry
|
||||
Sync-PostgresPassword -Password (Get-DotEnvValue -Path $EnvFile -Key 'POSTGRES_PASSWORD')
|
||||
docker compose up --pull always
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
exit $LASTEXITCODE
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue