Use secret seed for internal database passwords Getting root-only read permissions into the Postgres image would be tricky due to its init script nature. But it isn't exposed to the outside anyway.

commit: 472cfc7ff58cbd52f7ce2831fd11288b2e7630e8 [log] [tgz]
author: Nico Huber <nico.h@gmx.de> Tue Jul 25 14:20:55 2023 +0000
committer: Nico Huber <nico.h@gmx.de> Tue Jul 25 16:55:06 2023 +0000
tree: a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent: 177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]
diff --git a/keycloak/docker/entrypoint b/keycloak/docker/entrypoint
index 772add0..5f3454d 100644
--- a/keycloak/docker/entrypoint
+++ b/keycloak/docker/entrypoint

@@ -2,20 +2,11 @@
 
 set -e
 
-{
-    db_secret=/tmp/passwd/db/secret
-
-    i=0
-    while [ -z "$(cat ${db_secret} 2>/dev/null)" ]; do
-        if [ ${i} -eq 10 ]; then
-            echo "ERROR: No password file after ${i}s."
-            exit 1
-        fi
-        sleep 1
-        i=$((i+1))
-    done
-
-    export KC_DB_PASSWORD=$(cat ${db_secret})
+secret() {
+    seed=$(cat /run/secrets/seed)
+    printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
 }
 
-exec /opt/keycloak/bin/kc.sh "$@"
+export KC_DB_PASSWORD=$(secret db:keycloak)
+
+exec setpriv --reuid=keycloak --regid=root --init-groups --inh-caps=-all /opt/keycloak/bin/kc.sh "$@"
commit	472cfc7ff58cbd52f7ce2831fd11288b2e7630e8	[log] [tgz]
author	Nico Huber <nico.h@gmx.de>	Tue Jul 25 14:20:55 2023 +0000
committer	Nico Huber <nico.h@gmx.de>	Tue Jul 25 16:55:06 2023 +0000
tree	a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent	177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]