From 1ed973e4c67c61c1226d7805dd7886f713c9d7c0 Mon Sep 17 00:00:00 2001 From: Brandon Dunne Date: Thu, 26 Jan 2023 16:01:40 -0500 Subject: [PATCH] Allow loading secrets from mounted files rather than ENV vars This allows keys from kubernetes secrets to be mounted as files to avoid exposing them in the ENV. --- 10/root/usr/bin/run-postgresql | 9 +++++++++ 12/root/usr/bin/run-postgresql | 9 +++++++++ 13/root/usr/bin/run-postgresql | 9 +++++++++ src/root/usr/bin/run-postgresql | 9 +++++++++ 4 files changed, 36 insertions(+) diff --git a/10/root/usr/bin/run-postgresql b/10/root/usr/bin/run-postgresql index 2367e57e..9a5894fd 100755 --- a/10/root/usr/bin/run-postgresql +++ b/10/root/usr/bin/run-postgresql @@ -2,6 +2,15 @@ export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false} +# Load secrets from files mounted on the filesystem and only expose them to this process. +# This allows kubernetes to mount secrets as files in a directory rather than exposing them in the ENV. +# For example: mount secret with key username as /run/secrets/postgresql/POSTGRESQL_USER +for file in /run/secrets/postgresql/* +do + [ -e "$file" ] || continue + export "$(basename $file)=$(cat $file)" +done + set -eu export_vars=$(cgroup-limits) ; export $export_vars diff --git a/12/root/usr/bin/run-postgresql b/12/root/usr/bin/run-postgresql index 2367e57e..9a5894fd 100755 --- a/12/root/usr/bin/run-postgresql +++ b/12/root/usr/bin/run-postgresql @@ -2,6 +2,15 @@ export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false} +# Load secrets from files mounted on the filesystem and only expose them to this process. +# This allows kubernetes to mount secrets as files in a directory rather than exposing them in the ENV. +# For example: mount secret with key username as /run/secrets/postgresql/POSTGRESQL_USER +for file in /run/secrets/postgresql/* +do + [ -e "$file" ] || continue + export "$(basename $file)=$(cat $file)" +done + set -eu export_vars=$(cgroup-limits) ; export $export_vars diff --git a/13/root/usr/bin/run-postgresql b/13/root/usr/bin/run-postgresql index 2367e57e..9a5894fd 100755 --- a/13/root/usr/bin/run-postgresql +++ b/13/root/usr/bin/run-postgresql @@ -2,6 +2,15 @@ export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false} +# Load secrets from files mounted on the filesystem and only expose them to this process. +# This allows kubernetes to mount secrets as files in a directory rather than exposing them in the ENV. +# For example: mount secret with key username as /run/secrets/postgresql/POSTGRESQL_USER +for file in /run/secrets/postgresql/* +do + [ -e "$file" ] || continue + export "$(basename $file)=$(cat $file)" +done + set -eu export_vars=$(cgroup-limits) ; export $export_vars diff --git a/src/root/usr/bin/run-postgresql b/src/root/usr/bin/run-postgresql index 2367e57e..9a5894fd 100755 --- a/src/root/usr/bin/run-postgresql +++ b/src/root/usr/bin/run-postgresql @@ -2,6 +2,15 @@ export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false} +# Load secrets from files mounted on the filesystem and only expose them to this process. +# This allows kubernetes to mount secrets as files in a directory rather than exposing them in the ENV. +# For example: mount secret with key username as /run/secrets/postgresql/POSTGRESQL_USER +for file in /run/secrets/postgresql/* +do + [ -e "$file" ] || continue + export "$(basename $file)=$(cat $file)" +done + set -eu export_vars=$(cgroup-limits) ; export $export_vars