Add checks for _FILE env vars (#18887)

* Add checks for _FILE env vars * Fixing this for once and for all + documenting * Update run_metabase.sh

Add checks for _FILE env vars (#18887)
2b287bff · Luis Paolini · GitHub · 137c2051 · 2b287bff · 2b287bff
Unverified Commit 2b287bff authored 3 years ago by Luis Paolini Committed by GitHub 3 years ago
--- a/bin/docker/run_metabase.sh
+++ b/bin/docker/run_metabase.sh
@@ -16,14 +16,51 @@ if [ ! -z "$JAVA_TIMEZONE" ]; then
    JAVA_OPTS="${JAVA_OPTS} -Duser.timezone=${JAVA_TIMEZONE}"
 fi

+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+# taken from https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh
+# This is the specific function that takes the env var which has a "_FILE" at the end and transforms that into a normal env var.
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# Here we define which env vars are the ones that will be supported with a "_FILE" ending. We started with the ones that would contain sensitive data
+docker_setup_env() {
+    file_env 'MB_DB_USER'
+    file_env 'MB_DB_PASS'
+    file_env 'MB_DB_CONNECTION_URI'
+    file_env 'MB_EMAIL_SMTP_PASSWORD'
+    file_env 'MB_EMAIL_SMTP_USERNAME'
+    file_env 'MB_LDAP_PASSWORD'
+    file_env 'MB_LDAP_BIND_DN'
+}
+
 # detect if the container is started as root or not
 # if non-root, it's likely we run in a k8s environment with well maintained permissions
 # if root, we need to check some permissions in order to exec metabase with a non-root user
 # In that case, the container is run as root, metabase is run as a non-root user
+# Also, we call the docker_setup_env function before Metabase starts so it takes the Docker secrets in case there are any
 if [ $(id -u) -ne 0 ]; then
    # Launch the application
    # exec is here twice on purpose to  ensure that metabase runs as PID 1 (the init process)
    # and thus receives signals sent to the container. This allows it to shutdown cleanly on exit
+    docker_setup_env
    exec /bin/sh -c "exec java $JAVA_OPTS -jar /app/metabase.jar $@"
 else
    # Avoid running metabase (or any server) as root where possible
@@ -104,6 +141,7 @@ else

    # next we tell metabase use the files we just moved into the directory
    # or create the files in that directory if they don't exist.
+    docker_setup_env
    export MB_DB_FILE=$new_db_dir/$(basename $db_file)

    # TODO: print big scary warning if they are configuring an ephemeral instance

--- a/docs/operations-guide/running-metabase-on-docker.md
+++ b/docs/operations-guide/running-metabase-on-docker.md
@@ -161,7 +161,7 @@ Note that Metabase will use this directory to extract plugins bundled with the d

 In order to keep your connection parameters hidden from plain sight, you can use Docker Secrets to put all parameters in files so Docker can read and load them in memory before the container is started.

-This is an example of a `docker-compose.yml` file to start a Metabase container with secrets to connect to a PostgreSQL database. Create 2 files (db_user.txt and db_password.txt) in the same directory as this `yml` and fill them with any username and a secure password:
+This is an example of a `docker-compose.yml` file to start a Metabase container with secrets to connect to a PostgreSQL database. Create 2 files (db_user.txt and db_password.txt) in the same directory as this `yml` and fill them with any username and a secure password (notice the "_FILE" on the environment variables that have a secret):

 ```
 version: '3.9'
@@ -178,8 +178,8 @@ services:
      MB_DB_TYPE: postgres
      MB_DB_DBNAME: metabase
      MB_DB_PORT: 5432
-      MB_DB_USER: /run/secrets/db_user
-      MB_DB_PASS: /run/secrets/db_password
+      MB_DB_USER_FILE: /run/secrets/db_user
+      MB_DB_PASS_FILE: /run/secrets/db_password
      MB_DB_HOST: postgres-secrets
    networks: 
      - metanet1-secrets
@@ -193,9 +193,9 @@ services:
    container_name: postgres-secrets
    hostname: postgres-secrets
    environment:
-      POSTGRES_USER: /run/secrets/db_user
+      POSTGRES_USER_FILE: /run/secrets/db_user
      POSTGRES_DB: metabase
-      POSTGRES_PASSWORD: /run/secrets/db_password
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
    networks: 
      - metanet1-secrets
    secrets:
@@ -209,4 +209,16 @@ secrets:
     file: db_password.txt
   db_user:
     file: db_user.txt
-```
\ No newline at end of file
+```
+
+We currently support the following [environment variables](environment-variables.html) to be used as secrets:
+
+* MB_DB_USER
+* MB_DB_PASS
+* MB_DB_CONNECTION_URI
+* MB_EMAIL_SMTP_PASSWORD
+* MB_EMAIL_SMTP_USERNAME
+* MB_LDAP_PASSWORD
+* MB_LDAP_BIND_DN
+
+In order for the Metabase container to read the files and use the contents as a secret, the environment variable name needs to be appended with a "_FILE" as explained above.