Use secret seed for internal database passwords
Getting root-only read permissions into the Postgres image would
be tricky due to its init script nature. But it isn't exposed to
the outside anyway.
diff --git a/keycloak/docker/Dockerfile b/keycloak/docker/Dockerfile
index 84c07dd..e38782f 100644
--- a/keycloak/docker/Dockerfile
+++ b/keycloak/docker/Dockerfile
@@ -14,14 +14,19 @@
RUN /opt/keycloak/bin/kc.sh build
+FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
+RUN dnf install --releasever 9 --setopt install_weak_deps=false --nodocs -y util-linux
+
+
FROM quay.io/keycloak/keycloak:${KC_TAG}
COPY --from=builder /opt/keycloak/ /opt/keycloak/
+COPY --from=ubi-micro-build /usr/lib64/libcap-ng.so.0* /usr/lib64/
+COPY --from=ubi-micro-build /usr/bin/setpriv /usr/bin
USER root
COPY entrypoint /sa-entrypoint
RUN chmod 544 /sa-entrypoint
-USER keycloak
ENTRYPOINT ["/bin/sh", "/sa-entrypoint"]
CMD ["start", "--optimized"]
diff --git a/keycloak/docker/entrypoint b/keycloak/docker/entrypoint
index 772add0..5f3454d 100644
--- a/keycloak/docker/entrypoint
+++ b/keycloak/docker/entrypoint
@@ -2,20 +2,11 @@
set -e
-{
- db_secret=/tmp/passwd/db/secret
-
- i=0
- while [ -z "$(cat ${db_secret} 2>/dev/null)" ]; do
- if [ ${i} -eq 10 ]; then
- echo "ERROR: No password file after ${i}s."
- exit 1
- fi
- sleep 1
- i=$((i+1))
- done
-
- export KC_DB_PASSWORD=$(cat ${db_secret})
+secret() {
+ seed=$(cat /run/secrets/seed)
+ printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
}
-exec /opt/keycloak/bin/kc.sh "$@"
+export KC_DB_PASSWORD=$(secret db:keycloak)
+
+exec setpriv --reuid=keycloak --regid=root --init-groups --inh-caps=-all /opt/keycloak/bin/kc.sh "$@"