From 22514523e4c13667bdadd33ffce8912b3cff891c Mon Sep 17 00:00:00 2001 From: Jeffrey Aven Date: Mon, 8 Jan 2024 14:34:10 +1100 Subject: [PATCH] refactor --- Dockerfile | 18 ++++------------ README.md | 16 +++++++------- startup.sh | 63 +++++++++--------------------------------------------- 3 files changed, 22 insertions(+), 75 deletions(-) diff --git a/Dockerfile b/Dockerfile index a57b6cc..259df6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,5 @@ -# Use stackql image -FROM stackql/stackql:latest as stackql - # Use postgres image -FROM postgres:latest as postgres +FROM postgres:latest # Environment variables for postgres backend ENV POSTGRES_HOST=127.0.0.1 @@ -14,10 +11,6 @@ ENV POSTGRES_DB=stackql # Environment variable to toggle SECURE_MODE ENV SECURE_MODE=false -# Environment variable for Key Vault name for SECURE_MODE, if local use local cert and key files -ENV KEYVAULT_NAME=local -ENV KEYVAULT_CREDENTIAL=notset - # Environment variable for StackQL server configuration ENV PGSRV_PORT=7432 @@ -25,11 +18,7 @@ ENV PGSRV_PORT=7432 COPY ./init-db.sh /docker-entrypoint-initdb.d/init-db.sh RUN chmod +x /docker-entrypoint-initdb.d/init-db.sh -# Copy stackql binary -COPY --from=stackql /srv/stackql/stackql /srv/stackql/stackql - # Install certificates - RUN apt-get update && \ apt-get install -y curl jq ca-certificates && update-ca-certificates @@ -39,9 +28,10 @@ EXPOSE $PGSRV_PORT # Volume for certificates VOLUME ["/opt/stackql/srv/credentials"] -# Copy the startup script +# Copy the StackQL binary and startup script +COPY --from=stackql/stackql:latest /srv/stackql/stackql /srv/stackql/stackql COPY startup.sh /usr/local/bin/startup.sh RUN chmod +x /usr/local/bin/startup.sh # Set the startup script as the entrypoint -ENTRYPOINT ["/usr/local/bin/startup.sh"] \ No newline at end of file +ENTRYPOINT ["/usr/local/bin/startup.sh"] diff --git a/README.md b/README.md index 25ad365..71c0de6 100644 --- a/README.md +++ b/README.md @@ -192,6 +192,10 @@ az keyvault secret set \ 2. **Create an Azure Container Instance:** To create an instance, use the Azure CLI. Replace values for `name`, `resource-group`, and `dns-name-label` with your specific details. The `--dns-name-label` should be a unique DNS name for the ACI. ```bash +SERVER_CERT=$(base64 -w 0 creds/server_cert.pem) +SERVER_KEY=$(base64 -w 0 creds/server_key.pem) +CLIENT_CERT=$(base64 -w 0 creds/client_cert.pem) + az container create \ --name stackqlserver \ --resource-group stackql-activity-monitor-rg \ @@ -200,14 +204,10 @@ az container create \ --ports 7432 \ --protocol TCP \ --environment-variables \ -POSTGRES_HOST=postgres-host \ -POSTGRES_PORT=postgres-port \ -POSTGRES_USER=postgres-user \ -POSTGRES_PASSWORD=postgres-password \ -POSTGRES_DB=postgres-db \ -SECURE_MODE=false \ -KEYVAULT_NAME=keyvault-name \ -KEYVAULT_CREDENTIAL=keyvault-credential +SECURE_MODE=true \ +SERVER_CERT=$SERVER_CERT \ +SERVER_KEY=$SERVER_KEY \ +CLIENT_CERT=$CLIENT_CERT ``` Make sure to replace the environment variable values with the ones you need for your setup. diff --git a/startup.sh b/startup.sh index ffbc880..c555f5a 100644 --- a/startup.sh +++ b/startup.sh @@ -3,76 +3,33 @@ # Set directory paths CERT_DIR="/opt/stackql/srv/credentials" -# Function to fetch a secret from Azure Key Vault -fetch_secret() { - local secret_name=$1 - local secret_value=$(curl -s \ - -H "Authorization: Bearer $KEYVAULT_CREDENTIAL" \ - "https://$KEYVAULT_NAME.vault.azure.net/secrets/$secret_name?api-version=7.0" | jq -r '.value') - - if [ -z "$secret_value" ]; then - echo "Failed to fetch secret: $secret_name" - exit 1 - fi - - echo "$secret_value" -} - -# Write secrets to files -write_cert_or_key() { - local content=$1 - local file_path=$2 - - echo "$content" > "$file_path" - chmod 600 "$file_path" -} - -# Check if certificates and keys are present in the directory +# Check if certificates and keys are present in the environment variables or the directory check_certs_and_keys() { local server_cert="$CERT_DIR/server_cert.pem" local server_key="$CERT_DIR/server_key.pem" local client_cert="$CERT_DIR/client_cert.pem" - if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then - echo "Certificates or keys are missing in $CERT_DIR" - exit 1 + if [ -z "$SERVER_CERT" ] || [ -z "$SERVER_KEY" ] || [ -z "$CLIENT_CERT" ]; then + if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then + echo "Certificates or keys are missing." + exit 1 + fi + else + echo "$SERVER_CERT" | base64 -d > "$server_cert" + echo "$SERVER_KEY" | base64 -d > "$server_key" + echo "$CLIENT_CERT" | base64 -d > "$client_cert" fi # Set permissions for the certificates and keys chmod 600 "$server_cert" "$server_key" "$client_cert" } -# Fetch and write secrets if needed -fetch_and_write_secrets() { - echo "Fetching secrets from Azure Key Vault..." - local server_cert=$(fetch_secret "stackql-server-cert") - local server_key=$(fetch_secret "stackql-server-key") - local client_cert=$(fetch_secret "stackql-client-cert") - - write_cert_or_key "$server_cert" "$CERT_DIR/server_cert.pem" - write_cert_or_key "$server_key" "$CERT_DIR/server_key.pem" - write_cert_or_key "$client_cert" "$CERT_DIR/client_cert.pem" - - echo "Secrets fetched and written to $CERT_DIR" -} - # Function to start StackQL with or without mTLS start_stackql() { if [ "$SECURE_MODE" = "true" ]; then echo "Running with mTLS..." - - # Fetch secrets from Azure Key Vault if not running locally - if [ "$KEYVAULT_NAME" != "local" ] && [ "$KEYVAULT_CREDENTIAL" != "notset" ]; then - fetch_and_write_secrets - else - echo "Using local secrets..." - fi - - # Check if certificates and keys are present and set their permissions check_certs_and_keys - CLIENT_CA_ENCODED=$(base64 -w 0 "$CERT_DIR/client_cert.pem") - # Start the server with TLS configuration /srv/stackql/stackql srv --approot=/srv/stackql/.stackql \ --pgsrv.port=$PGSRV_PORT \