Merge pull request #4 from stackql/feature/secure-server

refactor

Dockerfile

@@ -1,8 +1,5 @@
-# Use stackql image
-FROM stackql/stackql:latest as stackql
-
 # Use postgres image
-FROM postgres:latest as postgres
+FROM postgres:latest
 
 # Environment variables for postgres backend
 ENV POSTGRES_HOST=127.0.0.1
@@ -14,22 +11,14 @@ ENV POSTGRES_DB=stackql
 # Environment variable to toggle SECURE_MODE
 ENV SECURE_MODE=false
 
-# Environment variable for Key Vault name for SECURE_MODE, if local use local cert and key files
-ENV KEYVAULT_NAME=local
-ENV KEYVAULT_CREDENTIAL=notset
-
 # Environment variable for StackQL server configuration
 ENV PGSRV_PORT=7432
 
 # Copy initialization script for database
 COPY ./init-db.sh /docker-entrypoint-initdb.d/init-db.sh
 RUN chmod +x /docker-entrypoint-initdb.d/init-db.sh
 
-# Copy stackql binary
-COPY --from=stackql /srv/stackql/stackql /srv/stackql/stackql
-
 # Install certificates
-
 RUN apt-get update && \
     apt-get install -y curl jq ca-certificates && update-ca-certificates
 
@@ -39,9 +28,10 @@ EXPOSE $PGSRV_PORT
 # Volume for certificates
 VOLUME ["/opt/stackql/srv/credentials"]
 
-# Copy the startup script
+# Copy the StackQL binary and startup script
+COPY --from=stackql/stackql:latest /srv/stackql/stackql /srv/stackql/stackql
 COPY startup.sh /usr/local/bin/startup.sh
 RUN chmod +x /usr/local/bin/startup.sh
 
 # Set the startup script as the entrypoint
-ENTRYPOINT ["/usr/local/bin/startup.sh"]
+ENTRYPOINT ["/usr/local/bin/startup.sh"]

README.md

@@ -192,6 +192,10 @@ az keyvault secret set \
 2. **Create an Azure Container Instance:**
 To create an instance, use the Azure CLI. Replace values for `name`, `resource-group`, and `dns-name-label` with your specific details. The `--dns-name-label` should be a unique DNS name for the ACI.
 ```bash
+SERVER_CERT=$(base64 -w 0 creds/server_cert.pem)
+SERVER_KEY=$(base64 -w 0 creds/server_key.pem)
+CLIENT_CERT=$(base64 -w 0 creds/client_cert.pem)
+
 az container create \
 --name stackqlserver \
 --resource-group stackql-activity-monitor-rg \
@@ -200,14 +204,10 @@ az container create \
 --ports 7432 \
 --protocol TCP \
 --environment-variables \
-POSTGRES_HOST=postgres-host \
-POSTGRES_PORT=postgres-port \
-POSTGRES_USER=postgres-user \
-POSTGRES_PASSWORD=postgres-password \
-POSTGRES_DB=postgres-db \
-SECURE_MODE=false \
-KEYVAULT_NAME=keyvault-name \
-KEYVAULT_CREDENTIAL=keyvault-credential
+SECURE_MODE=true \
+SERVER_CERT=$SERVER_CERT \
+SERVER_KEY=$SERVER_KEY \
+CLIENT_CERT=$CLIENT_CERT
 ```
 Make sure to replace the environment variable values with the ones you need for your setup.
 

startup.sh

@@ -3,76 +3,33 @@
 # Set directory paths
 CERT_DIR="/opt/stackql/srv/credentials"
 
-# Function to fetch a secret from Azure Key Vault
-fetch_secret() {
-    local secret_name=$1
-    local secret_value=$(curl -s \
-                            -H "Authorization: Bearer $KEYVAULT_CREDENTIAL" \
-                            "https://$KEYVAULT_NAME.vault.azure.net/secrets/$secret_name?api-version=7.0" | jq -r '.value')
-
-    if [ -z "$secret_value" ]; then
-        echo "Failed to fetch secret: $secret_name"
-        exit 1
-    fi
-
-    echo "$secret_value"
-}
-
-# Write secrets to files
-write_cert_or_key() {
-    local content=$1
-    local file_path=$2
-
-    echo "$content" > "$file_path"
-    chmod 600 "$file_path"
-}
-
-# Check if certificates and keys are present in the directory
+# Check if certificates and keys are present in the environment variables or the directory
 check_certs_and_keys() {
     local server_cert="$CERT_DIR/server_cert.pem"
     local server_key="$CERT_DIR/server_key.pem"
     local client_cert="$CERT_DIR/client_cert.pem"
 
-    if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then
-        echo "Certificates or keys are missing in $CERT_DIR"
-        exit 1
+    if [ -z "$SERVER_CERT" ] || [ -z "$SERVER_KEY" ] || [ -z "$CLIENT_CERT" ]; then
+        if [ ! -f "$server_cert" ] || [ ! -f "$server_key" ] || [ ! -f "$client_cert" ]; then
+            echo "Certificates or keys are missing."
+            exit 1
+        fi
+    else
+        echo "$SERVER_CERT" | base64 -d > "$server_cert"
+        echo "$SERVER_KEY" | base64 -d > "$server_key"
+        echo "$CLIENT_CERT" | base64 -d > "$client_cert"
     fi
 
     # Set permissions for the certificates and keys
     chmod 600 "$server_cert" "$server_key" "$client_cert"
 }
 
-# Fetch and write secrets if needed
-fetch_and_write_secrets() {
-    echo "Fetching secrets from Azure Key Vault..."
-    local server_cert=$(fetch_secret "stackql-server-cert")
-    local server_key=$(fetch_secret "stackql-server-key")
-    local client_cert=$(fetch_secret "stackql-client-cert")
-
-    write_cert_or_key "$server_cert" "$CERT_DIR/server_cert.pem"
-    write_cert_or_key "$server_key" "$CERT_DIR/server_key.pem"
-    write_cert_or_key "$client_cert" "$CERT_DIR/client_cert.pem"
-
-    echo "Secrets fetched and written to $CERT_DIR"
-}
-
 # Function to start StackQL with or without mTLS
 start_stackql() {
     if [ "$SECURE_MODE" = "true" ]; then
         echo "Running with mTLS..."
-
-        # Fetch secrets from Azure Key Vault if not running locally
-        if [ "$KEYVAULT_NAME" != "local" ] && [ "$KEYVAULT_CREDENTIAL" != "notset" ]; then
-            fetch_and_write_secrets
-        else
-            echo "Using local secrets..."
-        fi
-
-        # Check if certificates and keys are present and set their permissions
         check_certs_and_keys
-
         CLIENT_CA_ENCODED=$(base64 -w 0 "$CERT_DIR/client_cert.pem")
-
         # Start the server with TLS configuration
         /srv/stackql/stackql srv --approot=/srv/stackql/.stackql \
         --pgsrv.port=$PGSRV_PORT \