Customize Docker Image

[mthota15]

Our RDS Password is KMS Encrypted and we have to decrypt the password in the docker image during runtime. We usually use aws cli with jq to decrypt the password in docker containers. We would like to use the same approach with Hasura docker container but not sure how to install aws cli and jq dependencies in the container.

Any guidance is appreciated.

[shahidhk]

@mthota15 Can you not decrypt the password and provide it as an environment variable?

Our docker image is highly optimised and it will not be possible to install the required tools on that.

You'll have to build a custom docker image with a dockerfile that might look like this:

FROM hasura/graphql-engine:v1.0.0-beta.4 as base

FROM debian:stretch-20190228-slim

# install libpq (required by Hasura)
# also install aws-cli, jq etc
RUN apt-get -y update \
    && apt-get install -y libpq-dev \
    && apt-get -y auto-remove \
    && apt-get -y clean \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/share/doc/ \
    && rm -rf /usr/share/man/ \
    && rm -rf /usr/share/locale/

# copy hausra binary from base container
COPY --from=base /bin/graphql-engine /bin/graphql-engine

# write a startup script which decrypts the password and starts graphql engine
# command to start graphql engine is 
# graphql-engine --database-url <url> serve 
COPY start.sh /start.sh

CMD ["/start.sh"]

PS: this is not tested.

[mthota15]

Thanks @shahidhk, It helped.

Here is my Dockerfile

FROM hasura/graphql-engine:v1.0.0-beta.4 as base

FROM python:3.7-slim-stretch

RUN apt-get -y update \
    && apt-get install -y --no-install-recommends libpq-dev jq \
    && apt-get -y auto-remove \
    && apt-get -y clean \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/share/doc/ \
    && rm -rf /usr/share/man/ \
    && rm -rf /usr/share/locale/ \
    && pip install awscli

# copy hausra binary from base container
COPY --from=base /bin/graphql-engine /bin/graphql-engine

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

entrypoint.sh:

#!/bin/bash
set -e

DB_HOST=${DB_HOST:-postgres}
DB_PORT=${DB_PORT:-5432}
AWS_REGION=${AWS_REGION:-us-east-1}
DB_PASSWORD_ENCYPTED=${DB_PASSWORD_ENCYPTED:-false}

if [ -z "${DB_NAME}" ]; then
   echo "Must provide DB_NAME environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_USER}" ]; then
   echo "Must provide DB_USER environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_PASSWORD}" ]; then
   echo "Must provide DB_PASSWORD environment variable. Exiting...."
   exit 1
fi

if [ ${DB_PASSWORD_ENCYPTED} == "true" ]
then
    echo "loading KMS credentials"
    decrypted_value_base64=$( \
        aws --region ${AWS_REGION} kms decrypt \
          --ciphertext-blob fileb://<(echo "${DB_PASSWORD}" | base64 -d) \
          --query Plaintext \
          --output text
    )
    decrypted_value=$(echo $decrypted_value_base64 | base64 -d)
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${decrypted_value}@${DB_HOST}:${DB_PORT}/${DB_NAME}
else
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
fi

/bin/graphql-engine  serve