diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 46b76bc..e79e58d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -38,9 +38,34 @@ if [ -n "${OPENBAO_ADDR:-}" ]; then exit 1 fi - # Export each key/value as a shell-safe env var. - # jq's @sh filter single-quote-escapes values so eval is safe. - eval "$(printf '%s' "${SECRET_JSON}" | jq -r 'to_entries[] | "export \(.key)=\(.value | @sh)"')" + # Export each key/value as a shell-safe env var — but ONLY if the key + # isn't already set by docker (env_file / environment: block). This + # lets a docker-compose override win over the OpenBao value, which is + # needed for e2e (TURNSTILE_SECRET_KEY="" / SMTP_HOST="") and any + # environment-specific override. + # + # Pattern: write jq output to a temp file, then while-read in the main + # shell so exports persist (pipes into while run in a subshell and lose + # them). Pre-snapshot env keys and skip those already defined. + _PRESET_KEYS_FILE=$(mktemp) + env | cut -d= -f1 | sort -u > "$_PRESET_KEYS_FILE" + + _SECRET_ASSIGNS=$(mktemp) + printf '%s' "${SECRET_JSON}" | jq -r 'to_entries[] | "\(.key)\t\(.value | @sh)"' > "$_SECRET_ASSIGNS" + + _APPLIED_COUNT=0 + _SKIPPED_COUNT=0 + while IFS="$(printf '\t')" read -r _K _VAL_QUOTED; do + if [ -z "$_K" ]; then continue; fi + if grep -qxF "$_K" "$_PRESET_KEYS_FILE"; then + _SKIPPED_COUNT=$((_SKIPPED_COUNT + 1)) + else + eval "export $_K=$_VAL_QUOTED" + _APPLIED_COUNT=$((_APPLIED_COUNT + 1)) + fi + done < "$_SECRET_ASSIGNS" + rm -f "$_PRESET_KEYS_FILE" "$_SECRET_ASSIGNS" + echo "[entrypoint] applied ${_APPLIED_COUNT} secrets; ${_SKIPPED_COUNT} already set by docker (kept override)" # Bootstrap credentials are no longer needed in the Node process env. unset OPENBAO_ROLE_ID OPENBAO_SECRET_ID BAO_TOKEN