Update all env vars & fix secrets #745

deepfence · Dec 14, 2022 · 1396de5 · 1396de5
1 parent f662840
commit 1396de5
Show file tree

Hide file tree

Showing 10 changed files with 73 additions and 72 deletions.
diff --git a/deepfence_ingester/secrets.go b/deepfence_ingester/secrets.go
@@ -23,6 +23,7 @@ type Secret struct {
 	ComplianceCheckType string                 `json:"compliance_check_type"`
 	CloudProvider       string                 `json:"cloud_provider"`
 	NodeName            string                 `json:"node_name"`
+	HostName            string                 `json:"host_name"`
 	NodeID              string                 `json:"node_id"`
 	ScanID              string                 `json:"scan_id"`
 	Masked              string                 `json:"masked"`

diff --git a/deepfence_postgres/Dockerfile b/deepfence_postgres/Dockerfile
@@ -3,12 +3,12 @@ FROM postgres:14.2-alpine3.15
 MAINTAINER Deepfence Inc
 LABEL deepfence.role=system
 
-ENV POSTGRES_USER_DB_HOST=deepfence-postgres \
-    POSTGRES_USER_DB_PORT=5432 \
-    POSTGRES_USER_DB_USER=deepfence \
-    POSTGRES_USER_DB_PASSWORD=deepfence \
-    POSTGRES_USER_DB_NAME=users \
-    POSTGRES_USER_DB_SSLMODE=disable \
+ENV DEEPFENCE_POSTGRES_USER_DB_HOST=deepfence-postgres \
+    DEEPFENCE_POSTGRES_USER_DB_PORT=5432 \
+    DEEPFENCE_POSTGRES_USER_DB_USER=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_PASSWORD=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_NAME=users \
+    DEEPFENCE_POSTGRES_USER_DB_SSLMODE=disable \
     DF_PROG_NAME="postgres1" \
     PGDATA="/data/postgres1/data"
 #ENV PGDATA /var/lib/postgresql/data

diff --git a/deepfence_postgres/create-pg-db.sh b/deepfence_postgres/create-pg-db.sh
@@ -7,16 +7,16 @@ set -u
 function create_user_and_database() {
 	local database=$1
 	echo "  Creating user and database '$database'"
-	psql --username "$POSTGRES_USER" <<-EOSQL
+	psql --username "$DEEPFENCE_POSTGRES_USER" <<-EOSQL
 	    CREATE USER $database;
 	    CREATE DATABASE $database;
 	    GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
 EOSQL
 }
 
-if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
-	echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
-	for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+if [ -n "$DEEPFENCE_POSTGRES_MULTIPLE_DATABASES" ]; then
+	echo "Multiple database creation requested: $DEEPFENCE_POSTGRES_MULTIPLE_DATABASES"
+	for db in $(echo $DEEPFENCE_POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
 		create_user_and_database $db
 	done
 	echo "Multiple databases created"

diff --git a/deepfence_postgres/postgres-entrypoint.sh b/deepfence_postgres/postgres-entrypoint.sh
@@ -2,10 +2,10 @@
 
 echoerr() { echo "$@" 1>&2; }
 
-export POSTGRES_MULTIPLE_DATABASES="$POSTGRES_USER_DB_NAME"
-export POSTGRES_USER=$POSTGRES_USER_DB_USER
-export POSTGRES_PASSWORD=$POSTGRES_USER_DB_PASSWORD
-export PGPASSWORD=$POSTGRES_USER_DB_PASSWORD
+export DEEPFENCE_POSTGRES_MULTIPLE_DATABASES="$DEEPFENCE_POSTGRES_USER_DB_NAME"
+export DEEPFENCE_POSTGRES_USER=$DEEPFENCE_POSTGRES_USER_DB_USER
+export DEEPFENCE_POSTGRES_PASSWORD=$DEEPFENCE_POSTGRES_USER_DB_PASSWORD
+export PGPASSWORD=$DEEPFENCE_POSTGRES_USER_DB_PASSWORD
 
 /bin/bash /usr/local/bin/create-pg-dirs.sh && /bin/bash /usr/local/bin/new-docker-entrypoint.sh postgres
 

diff --git a/deepfence_server/Dockerfile b/deepfence_server/Dockerfile
@@ -16,22 +16,22 @@ FROM alpine:3.16
 MAINTAINER Deepfence Inc
 LABEL deepfence.role=system
 
-ENV POSTGRES_USER_DB_HOST=deepfence-postgres \
-    POSTGRES_USER_DB_PORT=5432 \
-    POSTGRES_USER_DB_USER=deepfence \
-    POSTGRES_USER_DB_PASSWORD=deepfence \
-    POSTGRES_USER_DB_NAME=users \
-    POSTGRES_USER_DB_SSLMODE=disable \
-    REDIS_HOST=deepfence-redis \
-    REDIS_PORT=6379 \
-    REDIS_DB_NUMBER=0 \
-    NEO4J_HOST=deepfence-neo4j \
-    NEO4J_BOLT_PORT=7687 \
-    NEO4J_USER=neo4j \
-    NEO4J_PASSWORD=password \
-    HTTP_LISTEN_ENDPOINT=8080 \
-    SAAS_DEPLOYMENT=false \
-    KAFKA_BROKERS=deepfence-kafka-broker:9092
+ENV DEEPFENCE_POSTGRES_USER_DB_HOST=deepfence-postgres \
+    DEEPFENCE_POSTGRES_USER_DB_PORT=5432 \
+    DEEPFENCE_POSTGRES_USER_DB_USER=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_PASSWORD=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_NAME=users \
+    DEEPFENCE_POSTGRES_USER_DB_SSLMODE=disable \
+    DEEPFENCE_REDIS_HOST=deepfence-redis \
+    DEEPFENCE_REDIS_PORT=6379 \
+    DEEPFENCE_REDIS_DB_NUMBER=0 \
+    DEEPFENCE_NEO4J_HOST=deepfence-neo4j \
+    DEEPFENCE_NEO4J_BOLT_PORT=7687 \
+    DEEPFENCE_NEO4J_USER=neo4j \
+    DEEPFENCE_NEO4J_PASSWORD=password \
+    DEEPFENCE_HTTP_LISTEN_ENDPOINT=8080 \
+    DEEPFENCE_SAAS_DEPLOYMENT=false \
+    DEEPFENCE_KAFKA_BROKERS=deepfence-kafka-broker:9092
 
 ADD deepfence_server/auth /auth
 ADD deepfence_utils/postgresql /usr/local/postgresql-migrate

diff --git a/deepfence_server/entrypoint.sh b/deepfence_server/entrypoint.sh
@@ -1,23 +1,23 @@
 #!/bin/sh
 set -e
 
-until pg_isready -h "${POSTGRES_USER_DB_HOST}" -p "${POSTGRES_USER_DB_PORT}" -U "${POSTGRES_USER_DB_USER}" -d "${POSTGRES_USER_DB_NAME}"; do
+until pg_isready -h "${DEEPFENCE_POSTGRES_USER_DB_HOST}" -p "${DEEPFENCE_POSTGRES_USER_DB_PORT}" -U "${DEEPFENCE_POSTGRES_USER_DB_USER}" -d "${DEEPFENCE_POSTGRES_USER_DB_NAME}"; do
   echo >&2 "Postgres is unavailable - sleeping"
   sleep 5
 done
 
 # Database migration
 /usr/local/bin/migrate \
   -source file:///usr/local/postgresql-migrate \
-  -database "postgres://${POSTGRES_USER_DB_USER}:${POSTGRES_USER_DB_PASSWORD}@${POSTGRES_USER_DB_HOST}:${POSTGRES_USER_DB_PORT}/${POSTGRES_USER_DB_NAME}?sslmode=${POSTGRES_USER_DB_SSLMODE}" \
+  -database "postgres://${DEEPFENCE_POSTGRES_USER_DB_USER}:${DEEPFENCE_POSTGRES_USER_DB_PASSWORD}@${DEEPFENCE_POSTGRES_USER_DB_HOST}:${DEEPFENCE_POSTGRES_USER_DB_PORT}/${DEEPFENCE_POSTGRES_USER_DB_NAME}?sslmode=${DEEPFENCE_POSTGRES_USER_DB_SSLMODE}" \
   up
 
 if [ ! $? -eq 0 ]; then
     echo "postgres database migration failed, exiting"
     exit 1
 fi
 
-until kcat -L -b ${KAFKA_BROKERS};
+until kcat -L -b ${DEEPFENCE_KAFKA_BROKERS};
 do
   echo >&2 "kafka is unavailable - sleeping"
   sleep 5

diff --git a/deepfence_server/main.go b/deepfence_server/main.go
@@ -135,7 +135,7 @@ func initialize() (*Config, error) {
 	// logger
 	log.Initialize(*verbosity)
 
-	httpListenEndpoint := os.Getenv("HTTP_LISTEN_ENDPOINT")
+	httpListenEndpoint := os.Getenv("DEEPFENCE_HTTP_LISTEN_ENDPOINT")
 	if httpListenEndpoint == "" {
 		httpListenEndpoint = "8080"
 	}
@@ -177,7 +177,7 @@ func initializeDatabase() ([]byte, error) {
 }
 
 func initializeKafka() error {
-	kafkaBrokers = os.Getenv("KAFKA_BROKERS")
+	kafkaBrokers = os.Getenv("DEEPFENCE_KAFKA_BROKERS")
 	if kafkaBrokers == "" {
 		kafkaBrokers = "deepfence-kafka-broker:9092"
 	}

diff --git a/deepfence_server/router/router.go b/deepfence_server/router/router.go
@@ -160,7 +160,7 @@ func newAuthorizationHandler() (*casbin.Enforcer, error) {
 }
 
 func IsSaasDeployment() bool {
-	if strings.ToLower(os.Getenv("SAAS_DEPLOYMENT")) == "true" {
+	if strings.ToLower(os.Getenv("DEEPFENCE_SAAS_DEPLOYMENT")) == "true" {
 		return true
 	}
 	return false

diff --git a/deepfence_utils/directory/directory.go b/deepfence_utils/directory/directory.go
@@ -51,9 +51,9 @@ func init() {
 	postgresqlCfg := init_posgres()
 
 	saasMode := false
-	saasModeOn, has := os.LookupEnv("SAAS_MODE")
+	saasModeOn, has := os.LookupEnv("DEEPFENCE_SAAS_MODE")
 	if !has {
-		log.Warn().Msg("SAAS_MODE defaults to: off")
+		log.Warn().Msg("DEEPFENCE_SAAS_MODE defaults to: off")
 	} else if saasModeOn == "on" {
 		saasMode = true
 	}
@@ -77,21 +77,21 @@ func init() {
 }
 
 func initRedis() RedisConfig {
-	redisHost, has := os.LookupEnv("REDIS_HOST")
+	redisHost, has := os.LookupEnv("DEEPFENCE_REDIS_HOST")
 	if !has {
 		redisHost = "localhost"
-		log.Warn().Msgf("REDIS_HOST defaults to: %v", redisHost)
+		log.Warn().Msgf("DEEPFENCE_REDIS_HOST defaults to: %v", redisHost)
 	}
-	redisPort, has := os.LookupEnv("REDIS_PORT")
+	redisPort, has := os.LookupEnv("DEEPFENCE_REDIS_PORT")
 	if !has {
 		redisPort = "6379"
-		log.Warn().Msgf("REDIS_PORT defaults to: %v", redisPort)
+		log.Warn().Msgf("DEEPFENCE_REDIS_PORT defaults to: %v", redisPort)
 	}
 	redisEndpoint := redisHost + ":" + redisPort
-	redisPassword := os.Getenv("REDIS_PASSWORD")
+	redisPassword := os.Getenv("DEEPFENCE_REDIS_PASSWORD")
 	redisDbNumber := 0
 	var err error
-	redisDbNumberStr := os.Getenv("REDIS_DB_NUMBER")
+	redisDbNumberStr := os.Getenv("DEEPFENCE_REDIS_DB_NUMBER")
 	if redisDbNumberStr != "" {
 		redisDbNumber, err = strconv.Atoi(redisDbNumberStr)
 		if err != nil {
@@ -107,25 +107,25 @@ func initRedis() RedisConfig {
 
 func init_posgres() PostgresqlConfig {
 	var err error
-	postgresHost, has := os.LookupEnv("POSTGRES_USER_DB_HOST")
+	postgresHost, has := os.LookupEnv("DEEPFENCE_POSTGRES_USER_DB_HOST")
 	if !has {
 		postgresHost = "localhost"
-		log.Warn().Msgf("POSTGRES_USER_DB_HOST defaults to: %v", postgresHost)
+		log.Warn().Msgf("DEEPFENCE_POSTGRES_USER_DB_HOST defaults to: %v", postgresHost)
 	}
 	postgresPort := 5432
-	postgresPortStr := os.Getenv("POSTGRES_USER_DB_PORT")
+	postgresPortStr := os.Getenv("DEEPFENCE_POSTGRES_USER_DB_PORT")
 	if postgresPortStr == "" {
-		log.Warn().Msgf("POSTGRES_USER_DB_PORT defaults to: %d", postgresPort)
+		log.Warn().Msgf("DEEPFENCE_POSTGRES_USER_DB_PORT defaults to: %d", postgresPort)
 	} else {
 		postgresPort, err = strconv.Atoi(postgresPortStr)
 		if err != nil {
 			postgresPort = 5432
 		}
 	}
-	postgresUsername := os.Getenv("POSTGRES_USER_DB_USER")
-	postgresPassword := os.Getenv("POSTGRES_USER_DB_PASSWORD")
-	postgresDatabase := os.Getenv("POSTGRES_USER_DB_NAME")
-	postgresSslMode := os.Getenv("POSTGRES_USER_DB_SSLMODE")
+	postgresUsername := os.Getenv("DEEPFENCE_POSTGRES_USER_DB_USER")
+	postgresPassword := os.Getenv("DEEPFENCE_POSTGRES_USER_DB_PASSWORD")
+	postgresDatabase := os.Getenv("DEEPFENCE_POSTGRES_USER_DB_NAME")
+	postgresSslMode := os.Getenv("DEEPFENCE_POSTGRES_USER_DB_SSLMODE")
 
 	return PostgresqlConfig{
 		Host:     postgresHost,
@@ -138,19 +138,19 @@ func init_posgres() PostgresqlConfig {
 }
 
 func init_neo4j() Neo4jConfig {
-	neo4jHost, has := os.LookupEnv("NEO4J_HOST")
+	neo4jHost, has := os.LookupEnv("DEEPFENCE_NEO4J_HOST")
 	if !has {
 		neo4jHost = "localhost"
-		log.Warn().Msgf("NEO4J_HOST defaults to: %v", neo4jHost)
+		log.Warn().Msgf("DEEPFENCE_NEO4J_HOST defaults to: %v", neo4jHost)
 	}
-	neo4jBoltPort, has := os.LookupEnv("NEO4J_BOLT_PORT")
+	neo4jBoltPort, has := os.LookupEnv("DEEPFENCE_NEO4J_BOLT_PORT")
 	if !has {
 		neo4jBoltPort = "7687"
-		log.Warn().Msgf("NEO4J_BOLT_PORT defaults to: %v", neo4jBoltPort)
+		log.Warn().Msgf("DEEPFENCE_NEO4J_BOLT_PORT defaults to: %v", neo4jBoltPort)
 	}
 	neo4jEndpoint := "bolt://" + neo4jHost + ":" + neo4jBoltPort
-	neo4jUsername := os.Getenv("NEO4J_USER")
-	neo4jPassword := os.Getenv("NEO4J_PASSWORD")
+	neo4jUsername := os.Getenv("DEEPFENCE_NEO4J_USER")
+	neo4jPassword := os.Getenv("DEEPFENCE_NEO4J_PASSWORD")
 	return Neo4jConfig{
 		Endpoint: neo4jEndpoint,
 		Username: neo4jUsername,

diff --git a/deepfence_worker/Dockerfile b/deepfence_worker/Dockerfile
@@ -10,20 +10,20 @@ FROM alpine:3.16
 MAINTAINER Deepfence Inc
 LABEL deepfence.role=system
 
-ENV POSTGRES_USER_DB_HOST=deepfence-postgres \
-    POSTGRES_USER_DB_PORT=5432 \
-    POSTGRES_USER_DB_USER=deepfence \
-    POSTGRES_USER_DB_PASSWORD=deepfence \
-    POSTGRES_USER_DB_NAME=users \
-    POSTGRES_USER_DB_SSLMODE=disable \
-    REDIS_HOST=deepfence-redis \
-    REDIS_PORT=6379 \
-    REDIS_DB_NUMBER=0 \
-    NEO4J_HOST=deepfence-neo4j \
-    NEO4J_BOLT_PORT=7687 \
-    NEO4J_USER=neo4j \
-    NEO4J_PASSWORD=password \
-    SAAS_DEPLOYMENT=false
+ENV DEEPFENCE_POSTGRES_USER_DB_HOST=deepfence-postgres \
+    DEEPFENCE_POSTGRES_USER_DB_PORT=5432 \
+    DEEPFENCE_POSTGRES_USER_DB_USER=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_PASSWORD=deepfence \
+    DEEPFENCE_POSTGRES_USER_DB_NAME=users \
+    DEEPFENCE_POSTGRES_USER_DB_SSLMODE=disable \
+    DEEPFENCE_REDIS_HOST=deepfence-redis \
+    DEEPFENCE_REDIS_PORT=6379 \
+    DEEPFENCE_REDIS_DB_NUMBER=0 \
+    DEEPFENCE_NEO4J_HOST=deepfence-neo4j \
+    DEEPFENCE_NEO4J_BOLT_PORT=7687 \
+    DEEPFENCE_NEO4J_USER=neo4j \
+    DEEPFENCE_NEO4J_PASSWORD=password \
+    DEEPFENCE_SAAS_DEPLOYMENT=false
 
 COPY --from=build /go/deepfence_worker/deepfence_worker /usr/local/bin/deepfence_worker
 COPY deepfence_worker/entrypoint.sh /entrypoint.sh