Prevent generating a kernel_secret in the standalone image if it already exists or is defined through an environment variable

Author: codedmonkey

docker/config.yaml

@@ -1,2 +1,6 @@
+parameters:
+  kernel_secret: '%env(default:kernel_secret_file:KERNEL_SECRET)%'
+  kernel_secret_file: '%env(default::file:KERNEL_SECRET_FILE)%'
+
 framework:
-  secret: '%env(file:KERNEL_SECRET_FILE)%'
+  secret: '%kernel_secret%'

docker/scripts/init/10-kernel-secret.sh

@@ -2,8 +2,16 @@
 
 set -e
 
+if [ ! -z "${KERNEL_SECRET}" ] || [ ! -z "${KERNEL_SECRET_FILE}" ]; then
+  echo "Kernel secret is defined as an environment variable"
+
+  exit 0
+fi
+
 if [ -f "/srv/config/secrets/kernel_secret" ]; then
   echo "Kernel secret exists"
+
+  exit 0
 fi
 
 # Make sure secrets directory exists

tests/Docker/Standalone/.gitignore

@@ -0,0 +1 @@
+config/

tests/Docker/Standalone/DockerStandaloneIsolatedTestCase.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\Docker\Standalone;
+
+abstract class DockerStandaloneIsolatedTestCase extends DockerStandaloneTestCase
+{
+    protected function setUp(): void
+    {
+    }
+
+    protected function setUpDefaultContainer(): void
+    {
+        parent::setUp();
+    }
+}

tests/Docker/Standalone/DockerStandaloneTestCase.php

@@ -9,7 +9,7 @@
 
 abstract class DockerStandaloneTestCase extends TestCase
 {
-    protected StartedGenericContainer $container;
+    protected ?StartedGenericContainer $container = null;
 
     protected function setUp(): void
     {
@@ -22,7 +22,7 @@ protected function setUp(): void
 
     protected function tearDown(): void
     {
-        $this->container->stop();
+        $this->container?->stop();
     }
 
     protected function assertCommandSuccessful(array $command, ?string $message = null): void

tests/Docker/Standalone/InitTest.php

@@ -2,13 +2,82 @@
 
 namespace CodedMonkey\Dirigent\Tests\Docker\Standalone;
 
-class InitTest extends DockerStandaloneTestCase
+use PHPUnit\Framework\Attributes\DataProvider;
+use Symfony\Component\Filesystem\Filesystem;
+use Testcontainers\Container\GenericContainer;
+use Testcontainers\Wait\WaitForLog;
+
+class InitTest extends DockerStandaloneIsolatedTestCase
 {
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+
+        (new Filesystem())->remove(__DIR__ . '/config');
+    }
+
     public function testKernelSecretGenerated(): void
     {
+        $this->setUpDefaultContainer();
+
+        $logs = $this->container->logs();
+
+        $this->assertStringContainsString('Generated a new kernel secret', $logs);
+
         $this->assertContainerFileExists(
             '/srv/config/secrets/kernel_secret',
             'A kernel_secret file must be generated.',
         );
     }
+
+    public function testKernelSecretNotRegeneratedOnRestart(): void
+    {
+        (new Filesystem())->mkdir(__DIR__ . '/config');
+
+        // Generate kernel secret first
+        $this->container = (new GenericContainer('dirigent-standalone'))
+            ->withMount(__DIR__ . '/config', '/srv/config')
+            ->withMount(__DIR__ . '/scripts', '/srv/scripts/tests')
+            ->withWait(new WaitForLog('ready to handle connections'))
+            ->start();
+
+        $initialSecret = (new Filesystem())->readFile(__DIR__ . '/config/secrets/kernel_secret');
+
+        $this->container->restart();
+
+        $logs = $this->container->logs();
+
+        $this->assertStringContainsString('Kernel secret exists', $logs);
+
+        $secret = (new Filesystem())->readFile(__DIR__ . '/config/secrets/kernel_secret');
+
+        $this->assertSame($initialSecret, $secret, 'The kernel_secret file must not be changed if it already exists.');
+    }
+
+    public static function kernelSecretEnvVarProvider(): array
+    {
+        return [
+            ['KERNEL_SECRET', 'fernando'],
+            ['KERNEL_SECRET_FILE', '/srv/config/secrets/kernel_secret'],
+        ];
+    }
+
+    #[DataProvider('kernelSecretEnvVarProvider')]
+    public function testKernelSecretNotGeneratedIfEnvVarExists(string $varName, string $varValue): void
+    {
+        (new Filesystem())->mkdir(__DIR__ . '/config');
+
+        $this->container = (new GenericContainer('dirigent-standalone'))
+            ->withMount(__DIR__ . '/config', '/srv/config')
+            ->withMount(__DIR__ . '/scripts', '/srv/scripts/tests')
+            ->withEnvironment([$varName => $varValue])
+            ->withWait(new WaitForLog('ready to handle connections'))
+            ->start();
+
+        $logs = $this->container->logs();
+
+        $this->assertStringContainsString('Kernel secret is defined as an environment variable', $logs);
+
+        $this->assertFalse((new Filesystem())->exists(__DIR__ . '/config/secrets/kernel_secret'), 'The kernel_secret file must not be generated if the kernel secret is defined through an environment variable.');
+    }
 }