Use secret seed for internal mail passwords
diff --git a/gerrit/Dockerfile.entrypoint b/gerrit/Dockerfile.entrypoint
index 3aa8ae1..7079792 100644
--- a/gerrit/Dockerfile.entrypoint
+++ b/gerrit/Dockerfile.entrypoint
@@ -2,8 +2,15 @@
set -e
+secret() {
+ seed=$(cat /run/secrets/seed)
+ printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
+}
+
+export GERRIT_MAIL_PASSWORD=$(secret mail:gerrit)
+
# Allows us to bind mount arbitrary owned files
-chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache,passwd}/
+chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache}/
# Drop privileges as we set `USER root` only to change file permissions
exec setpriv --reuid=gerrit --regid=gerrit --init-groups --inh-caps=-all /unprivileged.sh "$@"
diff --git a/gerrit/Dockerfile.entrypoint-unprivileged b/gerrit/Dockerfile.entrypoint-unprivileged
index 159860a..1771d81 100644
--- a/gerrit/Dockerfile.entrypoint-unprivileged
+++ b/gerrit/Dockerfile.entrypoint-unprivileged
@@ -20,24 +20,13 @@
git config -f ${config} --add auth.trustedOpenID github-oauth:
fi
-secret=/var/gerrit/passwd/secret
-
-{
- if [ ! -f ${secret} ]; then
- echo $(mktemp -u XXXXXXXXXXXXXXXX) >${secret}
- fi
- chmod 400 ${secret}
-}
-
-if [ "${GERRIT_USER_EMAIL}" ]; then
- passwd=$(cat ${secret})
-
+if [ "${GERRIT_USER_EMAIL}" -a "${GERRIT_MAIL_PASSWORD}" ]; then
git config -f ${config} user.email ${GERRIT_USER_EMAIL}
git config -f ${config} sendemail.smtpServer mail.${SA_PUBLIC_DOMAIN_NAME}
git config -f ${config} sendemail.smtpServerPort 465
git config -f ${config} sendemail.smtpEncryption ssl
git config -f ${config} sendemail.smtpUser ${GERRIT_USER_EMAIL}
- git config -f ${config} sendemail.smtpPass ${passwd}
+ git config -f ${config} sendemail.smtpPass ${GERRIT_MAIL_PASSWORD}
git config -f ${config} sendemail.html false
fi