GUACAMOLE-626: Add Docker secret support for MySQL and Postgres

Add support for reading from docker secret files. New script prefers environment variables ending with _FILE over normal variables, meaning that Docker secrets will take precedence. You can, however, mix variable types, ex. MYSQL_USER uses a normal environment variable, while MYSQL_PASSWORD uses a secret.
2025-09-06 13:17:41 +00:00 · 2018-08-09 22:06:24 -05:00
parent 735b22bcf0
commit 32c2618ca9
1 changed files with 68 additions and 16 deletions
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -125,13 +125,13 @@ END
        exit 1;
    fi

-    # Verify required parameters are present
-    if [ -z "$MYSQL_USER" -o -z "$MYSQL_PASSWORD" -o -z "$MYSQL_DATABASE" ]; then
-        cat <<END
+    MYSQL_MISSING_VARS=`cat <<END
 FATAL: Missing required environment variables
 -------------------------------------------------------------------------------
 If using a MySQL database, you must provide each of the following
-environment variables:
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the 
+corresponding secret:

    MYSQL_USER         The user to authenticate as when connecting to
                       MySQL.
@@ -141,16 +141,39 @@ environment variables:

    MYSQL_DATABASE     The name of the MySQL database to use for Guacamole
                       authentication.
-END
+END`
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$MYSQL_USER_FILE" ]; then
+        set_property "mysql-username" `cat $MYSQL_USER_FILE`
+    elif [ -n "$MYSQL_USER" ]; then
+        set_property "mysql-username" "$MYSQL_USER"
+    else
+        cat "$MYSQL_MISSING_VARS"
+        exit 1;
+    fi
+    
+    if [ -n "$MYSQL_PASSWORD_FILE" ]; then
+        set_property "mysql-password" `cat $MYSQL_PASSWORD_FILE`
+    elif [ -n "$MYSQL_PASSWORD" ]; then
+        set_property "mysql-password" "$MYSQL_PASSWORD"
+    else
+        cat "$MYSQL_MISSING_VARS"
+        exit 1;
+    fi
+
+    if [ -n "$MYSQL_DATABASE_FILE" ]; then
+        set_property "mysql-database" `cat $MYSQL_DATABASE_FILE`
+    elif [ -n "$MYSQL_DATABASE" ]; then
+        set_property "mysql-database" "$MYSQL_DATABASE"
+    else
+        cat "$MYSQL_MISSING_VARS"
        exit 1;
    fi

    # Update config file
    set_property "mysql-hostname" "$MYSQL_HOSTNAME"
    set_property "mysql-port"     "$MYSQL_PORT"
-    set_property "mysql-database" "$MYSQL_DATABASE"
-    set_property "mysql-username" "$MYSQL_USER"
-    set_property "mysql-password" "$MYSQL_PASSWORD"

    set_optional_property               \
        "mysql-absolute-max-connections" \
@@ -221,13 +244,13 @@ END
        exit 1;
    fi

-    # Verify required parameters are present
-    if [ -z "$POSTGRES_USER" -o -z "$POSTGRES_PASSWORD" -o -z "$POSTGRES_DATABASE" ]; then
-        cat <<END
+    POSTGRES_MISSING_VARS=`cat <<END
 FATAL: Missing required environment variables
 -------------------------------------------------------------------------------
 If using a PostgreSQL database, you must provide each of the following
-environment variables:
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the 
+corresponding secret:

    POSTGRES_USER      The user to authenticate as when connecting to
                       PostgreSQL.
@@ -237,16 +260,45 @@ environment variables:

    POSTGRES_DATABASE  The name of the PostgreSQL database to use for Guacamole
                       authentication.
-END
+END`
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$POSTGRES_USER_FILE" ]; then
+        set_property "postgresql-username" `cat $POSTGRES_USER_FILE`
+    elif [ -n "$POSTGRES_USER" ]; then
+        set_property "postgresql-username" "$POSTGRES_USER"
+    else
+        cat "$POSTGRES_MISSING_VARS"
+        exit 1;
+    fi
+    
+    if [ -n "$POSTGRES_PASSWORD_FILE" ]; then
+        set_property "postgresql-password" `cat $POSTGRES_PASSWORD_FILE`
+    elif [ -n "$POSTGRES_PASSWORD" ]; then
+        set_property "postgresql-password" "$POSTGRES_PASSWORD"
+    else
+        cat "$POSTGRES_MISSING_VARS"
+        exit 1;
+    fi
+
+    if [ -n "$POSTGRES_DATABASE_FILE" ]; then
+        set_property "postgresql-database" `cat $POSTGRES_DATABASE_FILE`
+    elif [ -n "$POSTGRES_DATABASE" ]; then
+        set_property "postgresql-database" "$POSTGRES_DATABASE"
+    else
+        cat "$POSTGRES_MISSING_VARS"
+        exit 1;
+    fi
+
+    # Verify required parameters are present
+    if [ -z "$POSTGRES_USER" -o -z "$POSTGRES_PASSWORD" -o -z "$POSTGRES_DATABASE" ]; then
+        cat 
        exit 1;
    fi

    # Update config file
    set_property "postgresql-hostname" "$POSTGRES_HOSTNAME"
    set_property "postgresql-port"     "$POSTGRES_PORT"
-    set_property "postgresql-database" "$POSTGRES_DATABASE"
-    set_property "postgresql-username" "$POSTGRES_USER"
-    set_property "postgresql-password" "$POSTGRES_PASSWORD"

    set_optional_property               \
        "postgresql-absolute-max-connections" \