Skip to content

refactor #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeffreyaven merged 1 commit into from
Jan 8, 2024
Merged

refactor #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 4 additions & 14 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
# Use stackql image
FROM stackql/stackql:latest as stackql

# Use postgres image
FROM postgres:latest as postgres
FROM postgres:latest

# Environment variables for postgres backend
ENV POSTGRES_HOST=127.0.0.1
Expand All @@ -14,22 +11,14 @@ ENV POSTGRES_DB=stackql
# Environment variable to toggle SECURE_MODE
ENV SECURE_MODE=false

# Environment variable for Key Vault name for SECURE_MODE, if local use local cert and key files
ENV KEYVAULT_NAME=local
ENV KEYVAULT_CREDENTIAL=notset

# Environment variable for StackQL server configuration
ENV PGSRV_PORT=7432

# Copy initialization script for database
COPY ./init-db.sh /docker-entrypoint-initdb.d/init-db.sh
RUN chmod +x /docker-entrypoint-initdb.d/init-db.sh

# Copy stackql binary
COPY --from=stackql /srv/stackql/stackql /srv/stackql/stackql

# Install certificates

RUN apt-get update && \
apt-get install -y curl jq ca-certificates && update-ca-certificates

Expand All @@ -39,9 +28,10 @@ EXPOSE $PGSRV_PORT
# Volume for certificates
VOLUME ["/opt/stackql/srv/credentials"]

# Copy the startup script
# Copy the StackQL binary and startup script
COPY --from=stackql/stackql:latest /srv/stackql/stackql /srv/stackql/stackql
COPY startup.sh /usr/local/bin/startup.sh
RUN chmod +x /usr/local/bin/startup.sh

# Set the startup script as the entrypoint
ENTRYPOINT ["/usr/local/bin/startup.sh"]
ENTRYPOINT ["/usr/local/bin/startup.sh"]
16 changes: 8 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,10 @@ az keyvault secret set \
2. **Create an Azure Container Instance:**
To create an instance, use the Azure CLI. Replace values for `name`, `resource-group`, and `dns-name-label` with your specific details. The `--dns-name-label` should be a unique DNS name for the ACI.
```bash
SERVER_CERT=$(base64 -w 0 creds/server_cert.pem)
SERVER_KEY=$(base64 -w 0 creds/server_key.pem)
CLIENT_CERT=$(base64 -w 0 creds/client_cert.pem)

az container create \
--name stackqlserver \
--resource-group stackql-activity-monitor-rg \
Expand All @@ -200,14 +204,10 @@ az container create \
--ports 7432 \
--protocol TCP \
--environment-variables \
POSTGRES_HOST=postgres-host \
POSTGRES_PORT=postgres-port \
POSTGRES_USER=postgres-user \
POSTGRES_PASSWORD=postgres-password \
POSTGRES_DB=postgres-db \
SECURE_MODE=false \
KEYVAULT_NAME=keyvault-name \
KEYVAULT_CREDENTIAL=keyvault-credential
SECURE_MODE=true \
SERVER_CERT=$SERVER_CERT \
SERVER_KEY=$SERVER_KEY \
CLIENT_CERT=$CLIENT_CERT
```
Make sure to replace the environment variable values with the ones you need for your setup.

Expand Down
63 changes: 10 additions & 53 deletions startup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,76 +3,33 @@
# Set directory paths
CERT_DIR="/opt/stackql/srv/credentials"

# Function to fetch a secret from Azure Key Vault
fetch_secret() {
local secret_name=$1
local secret_value=$(curl -s \
-H "Authorization: Bearer $KEYVAULT_CREDENTIAL" \
"https://$KEYVAULT_NAME.vault.azure.net/secrets/$secret_name?api-version=7.0" | jq -r '.value')

if [ -z "$secret_value" ]; then
echo "Failed to fetch secret: $secret_name"
exit 1
fi

echo "$secret_value"
}

# Write secrets to files
write_cert_or_key() {
local content=$1
local file_path=$2

echo "$content" > "$file_path"
chmod 600 "$file_path"
}

# Check if certificates and keys are present in the directory
# Check if certificates and keys are present in the environment variables or the directory
check_certs_and_keys() {
local server_cert="$CERT_DIR/server_cert.pem"
local server_key="$CERT_DIR/server_key.pem"
local client_cert="$CERT_DIR/client_cert.pem"

if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then
echo "Certificates or keys are missing in $CERT_DIR"
exit 1
if [ -z "$SERVER_CERT" ] || [ -z "$SERVER_KEY" ] || [ -z "$CLIENT_CERT" ]; then
if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then
echo "Certificates or keys are missing."
exit 1
fi
else
echo "$SERVER_CERT" | base64 -d > "$server_cert"
echo "$SERVER_KEY" | base64 -d > "$server_key"
echo "$CLIENT_CERT" | base64 -d > "$client_cert"
fi

# Set permissions for the certificates and keys
chmod 600 "$server_cert" "$server_key" "$client_cert"
}

# Fetch and write secrets if needed
fetch_and_write_secrets() {
echo "Fetching secrets from Azure Key Vault..."
local server_cert=$(fetch_secret "stackql-server-cert")
local server_key=$(fetch_secret "stackql-server-key")
local client_cert=$(fetch_secret "stackql-client-cert")

write_cert_or_key "$server_cert" "$CERT_DIR/server_cert.pem"
write_cert_or_key "$server_key" "$CERT_DIR/server_key.pem"
write_cert_or_key "$client_cert" "$CERT_DIR/client_cert.pem"

echo "Secrets fetched and written to $CERT_DIR"
}

# Function to start StackQL with or without mTLS
start_stackql() {
if [ "$SECURE_MODE" = "true" ]; then
echo "Running with mTLS..."

# Fetch secrets from Azure Key Vault if not running locally
if [ "$KEYVAULT_NAME" != "local" ] && [ "$KEYVAULT_CREDENTIAL" != "notset" ]; then
fetch_and_write_secrets
else
echo "Using local secrets..."
fi

# Check if certificates and keys are present and set their permissions
check_certs_and_keys

CLIENT_CA_ENCODED=$(base64 -w 0 "$CERT_DIR/client_cert.pem")

# Start the server with TLS configuration
/srv/stackql/stackql srv --approot=/srv/stackql/.stackql \
--pgsrv.port=$PGSRV_PORT \
Expand Down