Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help security of CI information with Docker Secrets
security of CI information with Docker Secrets
  • Offline tgix
    Member
  • ***
  • Posts: 158
    Threads: 28
    Joined: May 2016
    Reputation: 4
#4
10-27-2020, 10:29 AM

(10-27-2020, 10:11 AM)richb201 Wrote: Thanks. So you are directly modifying the $dbconfig? Where are you doing this? I think you are doing this when building the Docker image. I am trying to use pre-existing Docker images and not build them myself. Any idea what CI module runs prior to the $dbconfig being used?
I am doing this in the constructor in app/Config/Database.php The getenv() command gets information from the $_ENV or .env file - see http://codeigniter.com/user_guide/genera...ments.html 
I am not 100% sure when this file is running, but it happens every time the application is executed (remember PHP is an interpreted language - we have been experimenting with bootstrapping this when the docker launches but found that fragile using FARGATE) 

I don't change the code when building the Docker image, the code base is the same for all customers and managed through git. We just add a specific .env file suitable for the production environment (we use Bamboo to manage multiple customers and staging/production) and then upload the built image to the Registry. The .env-file handles username, passwords and API keys.
The other part is the dynamic environment (databases hosts, filesystems, redis-caches etc) that we get from the docker task ENV.

We also use the stock pre-existing image, but have a short Dockerfile to configure extensions etc. This is basically the file we use:
Code:
# Use an official PHP runtime as a parent image
FROM php:7.3.23-apache-stretch

RUN pecl install -o -f redis \
&&  rm -rf /tmp/pear \
&&  docker-php-ext-enable redis

RUN apt-get update && apt-get install -y \
        libfreetype6-dev \
        libjpeg62-turbo-dev \
        libmcrypt-dev \
        libzip-dev \
        libpng-dev \
        libicu-dev \
    && rm -rf /var/lib/apt/lists/* \
    && docker-php-source extract \
    && pecl install mcrypt-1.0.2 \
    && docker-php-ext-enable mcrypt \
    && docker-php-ext-install -j$(nproc) iconv mysqli zip mbstring \
    && docker-php-ext-configure opcache --enable-opcache \
    && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
    && docker-php-ext-install -j$(nproc) gd \
    && docker-php-ext-install opcache \
    && docker-php-ext-configure intl \
    && docker-php-ext-install intl \
    && docker-php-source delete

RUN a2enmod rewrite

# Configuration files for apache and PHP
COPY 000-default.conf /etc/apache2/sites-available/000-default.conf
COPY tangix.ini /usr/local/etc/php/conf.d

# git checkout directory containing the CI project
COPY deploy /var/www/deploy
# .env file for the specific customer created by BAMBOO in the build job
COPY env.bamboo /var/www/deploy/.env

# Setting build timestamp and other stuff
ENV VT_DOCKER_IMAGE="$bamboo_shortPlanName" \
VT_DOCKER_BUILD="$bamboo_buildResultKey" \
VT_DOCKER_TIME="$bamboo_buildTimeStamp"

# Make port 80 available to the world outside this container
EXPOSE 80

CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]

HtH
/Mattias
Reply


Messages In This Thread
RE: security of CI information with Docker Secrets - by tgix - 10-27-2020, 10:29 AM



Theme © iAndrew 2016 - Forum software by © MyBB