add docker secrets

BretFisher · Nov 11, 2018 · d42cb40 · d42cb40
1 parent da17a12
commit d42cb40
Show file tree

Hide file tree

Showing 7 changed files with 96 additions and 14 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -29,6 +29,9 @@ HEALTHCHECK --interval=30s CMD node healthcheck.js
 WORKDIR /opt/app
 COPY . /opt/app
 
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
 # the official node image provides an unprivileged user as a security best practice
 # https://github.com/nodejs/docker-node/blob/master/docs/BestPractices.md#non-root-user
 USER node

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '2.3'
+version: '3.1'
 
 services:
   node:
@@ -32,24 +32,37 @@ services:
       - notused:/opt/app/node_modules
     environment:
       - NODE_ENV=development
-      - MONGO_HOSTNAME=mongodb://root:example@mongo:27017
+      - MONGO_USERNAME_FILE=/run/secrets/mongo_root
+      - MONGO_PASSWORD_FILE=/run/secrets/mongo_root_password
       - MONGO_DATABASE_NAME=example-database
+    secrets:
+      - mongo_root
+      - mongo_root_password
     depends_on:
-      mongo:
-        condition: service_healthy
+      - mongo
+
   mongo:
     image: mongo
     ports:
       - "27017:27017"
     environment:
-      - MONGO_INITDB_ROOT_USERNAME=root
-      - MONGO_INITDB_ROOT_PASSWORD=example
+      - MONGO_INITDB_ROOT_USERNAME_FILE=/run/secrets/mongo_root
+      - MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_root_password
       - MONGO_INITDB_DATABASE=example-database
+    secrets:
+      - mongo_root
+      - mongo_root_password
     healthcheck:
       test: echo 'db.stats().ok' | mongo localhost:27017/example-database --quiet
       interval: 5s
       timeout: 5s
       retries: 3
 
 volumes:
-    notused:
+  notused:
+
+secrets:
+  mongo_root:
+    file: ./secrets/mongo_root
+  mongo_root_password:
+    file: ./secrets/mongo_root_password
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env 'MONGO_USERNAME'
+file_env 'MONGO_PASSWORD'
+
+exec "$@"
diff --git a/docker-stack.yml b/docker-stack.yml
@@ -10,6 +10,34 @@ services:
       - "80:3000"
     environment:
       - NODE_ENV=production
+      - MONGO_USERNAME_FILE=/run/secrets/mongo_root
+      - MONGO_PASSWORD_FILE=/run/secrets/mongo_root_password
+      - MONGO_DATABASE_NAME=example-database
+    secrets:
+      - mongo_root
+      - mongo_root_password
     deploy:
-      replicas: 2
+      replicas: 1
 
+  mongo:
+    image: mongo
+    ports:
+      - "27017:27017"
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME_FILE=/run/secrets/mongo_root
+      - MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_root_password
+      - MONGO_INITDB_DATABASE=example-database
+    secrets:
+      - mongo_root
+      - mongo_root_password
+    # healthcheck:
+    #   test: echo 'db.stats().ok' | mongo localhost:27017/example-database --quiet
+    #   interval: 5s
+    #   timeout: 5s
+    #   retries: 3
+
+secrets:
+  mongo_root:
+    external: true
+  mongo_root_password:
+    external: true
diff --git a/index.js b/index.js
@@ -16,21 +16,28 @@ const MongoClient = require('mongodb').MongoClient;
 // this example includes a connection to MongoDB
 
 const {
-  MONGO_HOSTNAME,
+  MONGO_USERNAME,
+  MONGO_PASSWORD,
   MONGO_DATABASE_NAME
 } = process.env;
 
 // Connection URL
-const url = `${MONGO_HOSTNAME}`;
+const url = `mongodb://${MONGO_USERNAME}:${MONGO_PASSWORD}@mongo:27017`;
+
 // Create a new MongoClient
 const client = new MongoClient(url);
 
 let db;
 // Use connect method to connect to the Server
-client.connect(function(err) {
-  console.log("Connected successfully to server");
-  db = client.db(MONGO_DATABASE_NAME);
-});
+setTimeout(() => {
+  client.connect(function(err) {
+    if (err) {
+      return console.error(err);
+    }
+    console.log("Connected successfully to database");
+    db = client.db(MONGO_DATABASE_NAME);
+  });
+}, 2000);
 
 // Api
 const app = express();

diff --git a/secrets/mongo_root b/secrets/mongo_root
@@ -0,0 +1 @@
+root
diff --git a/secrets/mongo_root_password b/secrets/mongo_root_password
@@ -0,0 +1 @@
+example