puppet: Read camo secret at startup time, not at puppet-apply time.

Writing the secret to the supervisor configuration file makes changes to the secret requires a zulip-puppet-apply to take hold. The Docker image is constructed to avoid having to run zulip-puppet-apply on startup, and indeed cannot run zulip-puppet-apply after having configured secrets, as it has replaced the zulip.conf file with a symlink, for example. This means that camo gets the static secret that was built into the image, and not the one regenerated on first startup. Read the camo secret at process startup time. Because this pattern is likely common with "12-factor" applications which can read from environment variables, write a generic tool to map secrets to environment variables before exec'ing a binary, and use that for Camo. (cherry picked from commit 358a7fb0c6)
2025-11-01 20:44:04 +00:00 · 2021-12-01 17:52:47 -08:00
parent 859d88f76c
commit d3573af95c
4 changed files with 35 additions and 3 deletions
--- a/puppet/zulip/files/secret-env-wrapper
+++ b/puppet/zulip/files/secret-env-wrapper
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -eu
+
+for arg in "$@"; do
+    if [ "$arg" == "--" ]; then
+        shift
+        exec "$@"
+    elif [[ "$arg" == *"="* ]]; then
+        shift
+        varname="${arg%%=*}"
+        secretname="${arg#*=}"
+        secret=$(crudini --get /etc/zulip/zulip-secrets.conf secrets "$secretname")
+        export "$varname"="$secret"
+    else
+        exec "$@"
+    fi
+done
+
+{
+    echo "Usage:"
+    echo "    secret-env-wrapper ENVNAME=secretname binary [argument [argument [...]]]"
+} >&2
+
+exit 1
--- a/puppet/zulip/manifests/camo.pp
+++ b/puppet/zulip/manifests/camo.pp
@@ -18,13 +18,13 @@ class zulip::camo (String $listen_address = '0.0.0.0') {
    bin            => 'bin/go-camo',
  }

-  $camo_key = zulipsecret('secrets', 'camo_key', '')
  file { "${zulip::common::supervisor_conf_dir}/go-camo.conf":
    ensure  => file,
    require => [
      Package['camo'],
      Package[supervisor],
      File[$bin],
+      File['/usr/local/bin/secret-env-wrapper'],
    ],
    owner   => 'root',
    group   => 'root',
--- a/puppet/zulip/manifests/supervisor.pp
+++ b/puppet/zulip/manifests/supervisor.pp
@@ -107,4 +107,12 @@ class zulip::supervisor {
    content => template('zulip/supervisor/supervisord.conf.erb'),
    notify  => Exec['supervisor-restart'],
  }
+
+  file { '/usr/local/bin/secret-env-wrapper':
+    ensure => file,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+    source => 'puppet:///modules/zulip/secret-env-wrapper',
+  }
 }
--- a/puppet/zulip/templates/supervisor/go-camo.conf.erb
+++ b/puppet/zulip/templates/supervisor/go-camo.conf.erb
@@ -1,6 +1,5 @@
 [program:go-camo]
-command=<%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose
-environment=GOCAMO_HMAC="<%= @camo_key %>"
+command=/usr/local/bin/secret-env-wrapper GOCAMO_HMAC=camo_key <%= @bin %> --listen=<%= @listen_address %>:9292 -H "Strict-Transport-Security: max-age=15768000" -H "X-Frame-Options: DENY" --verbose
 priority=15
 autostart=true
 autorestart=true