Use container secrets securely

[itoffshore]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When running a container with DOCKER_STEPCA_INIT_PASSWORD_FILE set the Docker entrypoint.sh cat's the password file to /home/step/secrets/password & the file is world readable:

stepca:~$ ls -l secrets
total 516
-rw-------    1 step     step           314 May 14 00:03 intermediate_ca_key
-rw-r--r--    1 step     step        511875 May 14 00:02 password
-rw-------    1 step     step           314 May 14 00:03 root_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_host_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_user_ca_key

Why is this needed?

• For containers at least, a symlink is a better solution (which also works perfectly) - as the secret will usually be mounted in the container under /run/secrets/xxx with explicit permissions (possible in both docker & podman). This will work with the Dockerfile expecting to find the hardcoded /home/step/secrets/password & a container secret named anything.

• Moving the symlink creation out of init to run every time DOCKER_STEPCA_INIT_PASSWORD_FILE is set is probably also recommended for cases where the container is run with a different password file location.

• Am willing to make a PR if you agree with this approach.

---

• Running stepca with a 378,000 char podman secret works ok - example.

• I can also add to the PR a podman quadlet example .container file & run command.

[tashian]

Hi! I like the symlink approach and I'm curious how @jdoss and others on the team feel about it.

We just have to be aware of backward compatibility here, but it sounds like the symlink approach would not change any of the behavior outside of the init functionality. The CA would still read from /home/step/secrets/password on startup.

[itoffshore]

A symlink seemed like the least intrusive approach & shouldn't break anything.

Also I thought leave DOCKER_STEPCA_INIT_PASSWORD_FILE as it is rather than using a DOCKER_STEPCA_PASSWORD_FILE environment variable (outside of the init function in entrypoint.sh)

(so you can just add a note to Docker Hub that DOCKER_STEPCA_INIT_PASSWORD_FILE is read on every run) - as I didn't see your Docker Hub readme in this repo