From f3b232dd4c9471dbc5f7f76fb97d4f831012d9ae Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Thu, 12 May 2022 09:38:34 +0200
Subject: [PATCH] Copy secrets with correct ownership instead of symlinking
 them
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Secrets are owned by root and are not world-readable by default, so
the frontend cannot access them when it’s not running as root.
Not all versions of docker-compose support setting access rights for
secrets, so instead of wrangling with them, just copy secrets and
re-own them.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
 docker/configure-app.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docker/configure-app.sh b/docker/configure-app.sh
index aaf4834b4f..9b4fc3a389 100755
--- a/docker/configure-app.sh
+++ b/docker/configure-app.sh
@@ -15,7 +15,8 @@ done
 # Allow overriding the secret key
 if [ -f /run/secrets/secretkey ]
 then
-    ln -sf /run/secrets/secretkey config/secret.key
+    cp /run/secrets/secretkey config/secret.key
+    chown frontend config/secret.key
 fi
 
 if [ ! -r config/secret.key ]
@@ -50,11 +51,13 @@ fi
 # Set up msmtp if a configuration is supplied
 if [ -f /run/secrets/msmtprc ]
 then
-    ln -sf /run/secrets/msmtprc /etc/msmtprc
+    cp /run/secrets/msmtprc /etc/msmtprc
+    chown frontend /etc/msmtprc
 fi
 
 # Set up SSO auth if a configuration is supplied
 if [ -f /run/secrets/ssoauth ]
 then
-    ln -sf /run/secrets/ssoauth config/auth.yml
+    cp /run/secrets/ssoauth config/auth.yml
+    chown frontend config/auth.yml
 fi
-- 
GitLab