Fix #32 - Add Docker Secrets support (#33)

* Add Docker Secrets support

Author: jason-fox

README.md

@@ -10,9 +10,12 @@
 
 # What is WireCloud?
 
+[![](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/visualization.svg)](https://www.fiware.org/developers/catalogue/)
+[![Support badge](https://img.shields.io/badge/tag-fiware--wirecloud-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware-wirecloud)
+
 WireCloud builds on cutting-edge end-user development, RIA and semantic technologies to offer a next-generation end-user centred web application mashup platform aimed at leveraging the long tail of the Internet of Services. WireCloud builds on cutting-edge end-user (software) development, RIA and semantic technologies to offer a next-generation end-user centred web application mashup platform aimed at allowing end users without programming skills to easily create web applications and dashboards/cockpits (e.g. to visualize their data of interest or to control their domotized home or environment). Web application mashups integrate heterogeneous data, application logic, and UI components (widgets) sourced from the Web to create new coherent and value-adding composite applications. They are targeted at leveraging the "long tail" of the Web of Services (a.k.a. the Programmable Web) by exploiting rapid development, DIY, and shareability. They typically serve a specific situational (i.e. immediate, short-lived, customized) need, frequently with high potential for reuse. Is this "situational" character which precludes them to be offered as 'off-the-shelf' functionality by solution providers, and therefore creates the need for a tool like WireCloud
 
-WireCloud is part of [FIWARE](https://www.fiware.org/). Check it out in the [Catalogue](https://catalogue.fiware.org/enablers/application-mashup-wirecloud)
+WireCloud is part of [FIWARE](https://www.fiware.org/). Check it out in the [Catalogue](https://www.fiware.org/developers/catalogue/)
 
 [![WireCloud's logo](https://raw.githubusercontent.com/Wirecloud/docker-wirecloud/master/logo.png)](https://github.com/Wirecloud/wirecloud)
 
@@ -58,6 +61,25 @@ appropriately.
 [ALLOWED_HOSTS]: https://docs.djangoproject.com/en/2.1/ref/settings/#allowed-hosts
 
 
+### Docker Secrets
+
+As an alternative to passing sensitive information via environment variables, `_FILE` may be appended to some sensitive
+environment variables, causing the initialization script to load the values for those variables from files present in
+the container. In particular, this can be used to load passwords from Docker secrets stored in
+`/run/secrets/<secret_name>` files. For example:
+
+```console
+docker run --name wirecloud -e DB_PASSWORD_FILE=/run/secrets/password -d fiware/wirecloud
+```
+
+Currently, this `_FILE` suffix is supported for:
+
+-  `DB_PASSWORD`
+-  `DB_USERNAME`
+-  `SOCIAL_AUTH_FIWARE_KEY`
+-  `SOCIAL_AUTH_FIWARE_SECRET`
+
+
 ## Running manage.py commands
 
 You can run any available `manage.py` command by using `docker exec -ti some-wirecloud manage.py ...`. For example, you can create superusers/administrators by running the following command:
@@ -205,6 +227,7 @@ http {
 Run `docker stack deploy -c docker-compose.yml wirecloud` (or `docker-compose -f docker-compose.yml up`), wait for it to initialize completely, and visit `http://swarm-ip`, `http://localhost`, or `http://host-ip` (as appropriate). Also, take into account that you should configure https to have a production-ready deployment of WireCloud (not covered by this example).
 
 
+
 ## Customizations
 
 If you want to customize your WireCloud installation, the best option is to create a new docker image by extending one of the official images and installing new modules. For example, you can follow the following [tutorial](https://wirecloud.readthedocs.io/en/stable/development/platform/themes/) for creating a custom theme and install it on the extended image and use the `DEFAULT_THEME` environment variable to configure it as the default theme.
@@ -327,7 +350,6 @@ $ docker-compose up -d
 
 This docker-compose configuration will detect when the WireCloud configuration is missing and, in that case, it will populate the volume at `/opt/wirecloud_instance` (mapped to the local `wirecloud_instance` folder), the database and the `/var/www/static` volume (mapped to the local `static` folder). This initial configuration will not include any administrator user so, please create one using the `createsuperuser` command.
 
-
 # License
 
 View license information for [WireCloud](https://github.com/Wirecloud/wirecloud/blob/develop/LICENSE.txt).

dev/Dockerfile

@@ -46,7 +46,8 @@ RUN adduser --system --group --shell /bin/bash wirecloud && \
     cd /opt && \
     wirecloud-admin startproject wirecloud_instance wirecloud_instance && \
     chown -R wirecloud:wirecloud wirecloud_instance /var/www/static && \
-    chmod a+x wirecloud_instance/manage.py
+    chmod a+x wirecloud_instance/manage.py  && \
+    chmod a+x /docker-entrypoint.sh
 
 COPY ./settings.py ./urls.py /opt/wirecloud_instance/wirecloud_instance/
 

dev/docker-entrypoint.sh

@@ -2,6 +2,33 @@
 
 set -e
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'DB_PASSWORD' 'example'
+# (will allow for "$DB_PASSWORD_FILE" to fill in the value of
+#  "$DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env 'DB_PASSWORD' 'postgres'
+file_env 'DB_USERNAME' 'postgres'
+file_env 'SOCIAL_AUTH_FIWARE_KEY'
+file_env 'SOCIAL_AUTH_FIWARE_SECRET'
+
 # allow the container to be started with `--user`
 if [ "$(id -u)" = '0' ]; then
 	chown -R wirecloud data