From 77adc29b73827382d710cf69eb2a6e27025377db Mon Sep 17 00:00:00 2001
From: stedif <stefano.difrischia@inaf.it>
Date: Fri, 19 Nov 2021 15:21:34 +0100
Subject: [PATCH] L2SS-475: store sensitive data in env variables

---
 docker-compose/.env                                    |  3 +++
 docker-compose/archiver-timescale.yml                  | 10 ++--------
 docker-compose/timescaledb/Dockerfile                  |  2 +-
 .../resources/{01_admin.sql => 01_admin.sh}            |  6 +++++-
 4 files changed, 11 insertions(+), 10 deletions(-)
 rename docker-compose/timescaledb/resources/{01_admin.sql => 01_admin.sh} (50%)

diff --git a/docker-compose/.env b/docker-compose/.env
index de1f54725..e5b3ee612 100644
--- a/docker-compose/.env
+++ b/docker-compose/.env
@@ -13,3 +13,6 @@ TANGO_JAVA_VERSION=9.3.6
 TANGO_POGO_VERSION=9.6.34
 TANGO_REST_VERSION=1.14.6
 TANGO_STARTER_VERSION=2021-05-28
+
+PG_SUPERUSER_PASSWORD=password
+PG_HDB_PASSWORD=hdbpp
diff --git a/docker-compose/archiver-timescale.yml b/docker-compose/archiver-timescale.yml
index 12dc64454..056016b55 100644
--- a/docker-compose/archiver-timescale.yml
+++ b/docker-compose/archiver-timescale.yml
@@ -1,9 +1,5 @@
 version: '2'
 
-secrets:
-  pg_password:
-    external: true
-
 services:
   archiver-timescale:
     image: timescaledb
@@ -14,13 +10,11 @@ services:
       - control
     ports:
       - "5432:5432/tcp"
-    secrets:
-      - source: pg_password
-        target: POSTGRES_PASSWORD
     depends_on:
       - databaseds
     environment:
-      - POSTGRES_PASSWORD_FILE= '/run/secrets/db_password'
+      - POSTGRES_PASSWORD=${PG_SUPERUSER_PASSWORD}
+      - PG_HDB_PASSWORD=${PG_HDB_PASSWORD}
       - TANGO_HOST=${TANGO_HOST}
     logging:
       driver: syslog
diff --git a/docker-compose/timescaledb/Dockerfile b/docker-compose/timescaledb/Dockerfile
index 5a8ecde23..86e7a820c 100644
--- a/docker-compose/timescaledb/Dockerfile
+++ b/docker-compose/timescaledb/Dockerfile
@@ -1,7 +1,7 @@
 FROM timescale/timescaledb:latest-pg12
 
 
-COPY resources/01_admin.sql docker-entrypoint-initdb.d/002_admin.sql
+COPY resources/01_admin.sh docker-entrypoint-initdb.d/002_admin.sh
 COPY resources/02_hdb_schema.sql docker-entrypoint-initdb.d/003_hdb_schema.sql
 COPY resources/03_hdb_roles.sql docker-entrypoint-initdb.d/004_hdb_roles.sql
 COPY resources/04_hdb_ext_aggregates.sql docker-entrypoint-initdb.d/005_hdb_ext_aggregates.sql
diff --git a/docker-compose/timescaledb/resources/01_admin.sql b/docker-compose/timescaledb/resources/01_admin.sh
similarity index 50%
rename from docker-compose/timescaledb/resources/01_admin.sql
rename to docker-compose/timescaledb/resources/01_admin.sh
index 51848f45f..5cf506b30 100644
--- a/docker-compose/timescaledb/resources/01_admin.sql
+++ b/docker-compose/timescaledb/resources/01_admin.sh
@@ -1,4 +1,8 @@
-CREATE ROLE hdb_admin WITH LOGIN PASSWORD 'hdbpp';
+#!/bin/bash
+
+psql << EOF
+CREATE ROLE hdb_admin WITH LOGIN PASSWORD '${PG_HDB_PASSWORD}';
 ALTER USER hdb_admin CREATEDB;
 ALTER USER hdb_admin CREATEROLE;
 ALTER USER hdb_admin SUPERUSER;
+EOF
-- 
GitLab