Randomize kernel secret in the standalone image through a configuration file

Author: codedmonkey

Dockerfile

@@ -87,7 +87,7 @@ COPY --chown=$UID:$GID --from=composer_build /srv/app ./
 COPY --chown=$UID:$GID --from=node_build /srv/app/public/build public/build/
 COPY --chown=$UID:$GID readme.md license.md ./
 COPY --chown=$UID:$GID bin/console bin/dirigent bin/
-COPY --chown=$UID:$GID docker/dirigent.yaml /srv/app/config/
+COPY --chown=$UID:$GID docker/config.yaml config/dirigent.yaml
 COPY --chown=$UID:$GID docker/env.php ./.env.dirigent.local.php
 COPY --chown=$UID:$GID config config/
 COPY --chown=$UID:$GID docs docs/

docker/config.yaml

@@ -0,0 +1,2 @@
+framework:
+  secret: '%env(file:KERNEL_SECRET_FILE)%'

docker/env.php

@@ -5,6 +5,7 @@
     'DATABASE_URL' => 'postgresql://dirigent@127.0.0.1:5432/dirigent?serverVersion=16&charset=utf8',
     'DIRIGENT_IMAGE' => '1',
     'GITHUB_TOKEN' => '',
+    'KERNEL_SECRET_FILE' => '/srv/config/secrets/kernel_secret',
     'MAILER_DSN' => 'null://null',
     'MESSENGER_TRANSPORT_DSN' => 'doctrine://default?auto_setup=0',
     'SENTRY_DSN' => '',

docker/scripts/init/10-kernel-secret.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -e
+
+if [ -f "/srv/config/secrets/kernel_secret" ]; then
+  echo "Kernel secret exists"
+fi
+
+# Make sure secrets directory exists
+mkdir -p /srv/config/secrets
+
+# Generate a kernel secret and save the value
+secret=$(openssl rand -base64 12)
+echo $secret > /srv/config/secrets/kernel_secret
+
+echo "Generated a new kernel secret"

tests/Docker/Standalone/InitTest.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\Docker\Standalone;
+
+class InitTest extends DockerStandaloneTestCase
+{
+    public function testKernelSecretGenerated(): void
+    {
+        $this->assertContainerFileExists(
+            '/srv/config/secrets/kernel_secret',
+            'A kernel_secret file must be generated.',
+        );
+    }
+}