Use secret seed for internal database passwords
Getting root-only read permissions into the Postgres image would
be tricky due to its init script nature. But it isn't exposed to
the outside anyway.
diff --git a/postgres/docker/entrypoint b/postgres/docker/entrypoint
index 1782d31..be591bc 100644
--- a/postgres/docker/entrypoint
+++ b/postgres/docker/entrypoint
@@ -2,16 +2,7 @@
set -e
+# This master password won't be known to anyone
export POSTGRES_PASSWORD=$(mktemp -u XXXXXXXXXXXXXXXX)
-kc_secret=/tmp/passwd/keycloak/secret
-{
- if [ ! -f ${kc_secret} ]; then
- mkdir -p $(dirname ${kc_secret})
- echo $(mktemp -u XXXXXXXXXXXXXXXX) >${kc_secret}
- fi
- chown root:postgres ${kc_secret}
- chmod 444 ${kc_secret}
-}
-
exec docker-entrypoint.sh "$@"
diff --git a/postgres/init.sh b/postgres/init.sh
index 6ef8e46..a39f33d 100755
--- a/postgres/init.sh
+++ b/postgres/init.sh
@@ -2,12 +2,17 @@
set -e
-{
- kc_secret=/tmp/passwd/keycloak/secret
- kc_password=$(cat ${kc_secret})
+secret() {
+ seed=$(cat /run/secrets/seed)
+ printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
+}
+add_user_db() {
+ user="$1"
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
- CREATE USER keycloak WITH ENCRYPTED PASSWORD '${kc_password}';
- CREATE DATABASE keycloak WITH ENCODING='UTF8' OWNER keycloak;
+ CREATE USER ${user} WITH ENCRYPTED PASSWORD '$(secret db:${user})';
+ CREATE DATABASE ${user} WITH ENCODING='UTF8' OWNER ${user};
EOSQL
}
+
+add_user_db keycloak