fix(entrypoint): docker-compose env overrides win over OpenBao-fetched values
The previous entrypoint unconditionally exported every key from kv/ped-ai/prod. This broke the e2e container, which needs TURNSTILE_SECRET_KEY="" and SMTP_HOST="" set via docker-compose environment block so login works without bot challenge and register auto-verifies. OpenBao's real values were overriding those empties, re-enabling Turnstile and email on e2e. Fix: before the OpenBao fetch, snapshot every env var name already defined (env_file + environment: block). During the export loop, skip any OpenBao key that's already in the snapshot. Docker-compose wins, OpenBao fills in the rest. Impact: - Prod container: no change (env_file only has OPENBAO_* bootstrap vars, which aren't in the KV payload anyway) - E2e container: TURNSTILE_SECRET_KEY="" and SMTP_HOST="" preserved even when the image is rebuilt from the current source tree - Any future per-container override via docker-compose environment: block just works Log line now reports counts: "applied N secrets; M already set by docker (kept override)".
This commit is contained in:
parent
abb67bd03a
commit
b7a2e15107
1 changed files with 28 additions and 3 deletions
|
|
@ -38,9 +38,34 @@ if [ -n "${OPENBAO_ADDR:-}" ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# Export each key/value as a shell-safe env var.
|
||||
# jq's @sh filter single-quote-escapes values so eval is safe.
|
||||
eval "$(printf '%s' "${SECRET_JSON}" | jq -r 'to_entries[] | "export \(.key)=\(.value | @sh)"')"
|
||||
# Export each key/value as a shell-safe env var — but ONLY if the key
|
||||
# isn't already set by docker (env_file / environment: block). This
|
||||
# lets a docker-compose override win over the OpenBao value, which is
|
||||
# needed for e2e (TURNSTILE_SECRET_KEY="" / SMTP_HOST="") and any
|
||||
# environment-specific override.
|
||||
#
|
||||
# Pattern: write jq output to a temp file, then while-read in the main
|
||||
# shell so exports persist (pipes into while run in a subshell and lose
|
||||
# them). Pre-snapshot env keys and skip those already defined.
|
||||
_PRESET_KEYS_FILE=$(mktemp)
|
||||
env | cut -d= -f1 | sort -u > "$_PRESET_KEYS_FILE"
|
||||
|
||||
_SECRET_ASSIGNS=$(mktemp)
|
||||
printf '%s' "${SECRET_JSON}" | jq -r 'to_entries[] | "\(.key)\t\(.value | @sh)"' > "$_SECRET_ASSIGNS"
|
||||
|
||||
_APPLIED_COUNT=0
|
||||
_SKIPPED_COUNT=0
|
||||
while IFS="$(printf '\t')" read -r _K _VAL_QUOTED; do
|
||||
if [ -z "$_K" ]; then continue; fi
|
||||
if grep -qxF "$_K" "$_PRESET_KEYS_FILE"; then
|
||||
_SKIPPED_COUNT=$((_SKIPPED_COUNT + 1))
|
||||
else
|
||||
eval "export $_K=$_VAL_QUOTED"
|
||||
_APPLIED_COUNT=$((_APPLIED_COUNT + 1))
|
||||
fi
|
||||
done < "$_SECRET_ASSIGNS"
|
||||
rm -f "$_PRESET_KEYS_FILE" "$_SECRET_ASSIGNS"
|
||||
echo "[entrypoint] applied ${_APPLIED_COUNT} secrets; ${_SKIPPED_COUNT} already set by docker (kept override)"
|
||||
|
||||
# Bootstrap credentials are no longer needed in the Node process env.
|
||||
unset OPENBAO_ROLE_ID OPENBAO_SECRET_ID BAO_TOKEN
|
||||
|
|
|
|||
Loading…
Reference in a new issue