Use secret seed for internal database passwords Getting root-only read permissions into the Postgres image would be tricky due to its init script nature. But it isn't exposed to the outside anyway.

commit: 472cfc7ff58cbd52f7ce2831fd11288b2e7630e8 [log] [tgz]
author: Nico Huber <nico.h@gmx.de> Tue Jul 25 14:20:55 2023 +0000
committer: Nico Huber <nico.h@gmx.de> Tue Jul 25 16:55:06 2023 +0000
tree: a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent: 177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]
diff --git a/postgres/init.sh b/postgres/init.sh
index 6ef8e46..a39f33d 100755
--- a/postgres/init.sh
+++ b/postgres/init.sh

@@ -2,12 +2,17 @@
 
 set -e
 
-{
-    kc_secret=/tmp/passwd/keycloak/secret
-    kc_password=$(cat ${kc_secret})
+secret() {
+    seed=$(cat /run/secrets/seed)
+    printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
+}
 
+add_user_db() {
+    user="$1"
     psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER keycloak WITH ENCRYPTED PASSWORD '${kc_password}';
-	CREATE DATABASE keycloak WITH ENCODING='UTF8' OWNER keycloak;
+	CREATE USER ${user} WITH ENCRYPTED PASSWORD '$(secret db:${user})';
+	CREATE DATABASE ${user} WITH ENCODING='UTF8' OWNER ${user};
 EOSQL
 }
+
+add_user_db keycloak
commit	472cfc7ff58cbd52f7ce2831fd11288b2e7630e8	[log] [tgz]
author	Nico Huber <nico.h@gmx.de>	Tue Jul 25 14:20:55 2023 +0000
committer	Nico Huber <nico.h@gmx.de>	Tue Jul 25 16:55:06 2023 +0000
tree	a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent	177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]