Graphql-engine: Customize Docker Image

Created on 14 Aug 2019  路  2Comments  路  Source: hasura/graphql-engine

Our RDS Password is KMS Encrypted and we have to decrypt the password in the docker image during runtime. We usually use aws cli with jq to decrypt the password in docker containers. We would like to use the same approach with Hasura docker container but not sure how to install aws cli and jq dependencies in the container.

Any guidance is appreciated.

question
Source
picture mthota15

Most helpful comment

Thanks @shahidhk, It helped.

Here is my Dockerfile

FROM hasura/graphql-engine:v1.0.0-beta.4 as base

FROM python:3.7-slim-stretch

RUN apt-get -y update \
    && apt-get install -y --no-install-recommends libpq-dev jq \
    && apt-get -y auto-remove \
    && apt-get -y clean \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/share/doc/ \
    && rm -rf /usr/share/man/ \
    && rm -rf /usr/share/locale/ \
    && pip install awscli

# copy hausra binary from base container
COPY --from=base /bin/graphql-engine /bin/graphql-engine

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

entrypoint.sh:

#!/bin/bash
set -e

DB_HOST=${DB_HOST:-postgres}
DB_PORT=${DB_PORT:-5432}
AWS_REGION=${AWS_REGION:-us-east-1}
DB_PASSWORD_ENCYPTED=${DB_PASSWORD_ENCYPTED:-false}

if [ -z "${DB_NAME}" ]; then
   echo "Must provide DB_NAME environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_USER}" ]; then
   echo "Must provide DB_USER environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_PASSWORD}" ]; then
   echo "Must provide DB_PASSWORD environment variable. Exiting...."
   exit 1
fi

if [ ${DB_PASSWORD_ENCYPTED} == "true" ]
then
    echo "loading KMS credentials"
    decrypted_value_base64=$( \
        aws --region ${AWS_REGION} kms decrypt \
          --ciphertext-blob fileb://<(echo "${DB_PASSWORD}" | base64 -d) \
          --query Plaintext \
          --output text
    )
    decrypted_value=$(echo $decrypted_value_base64 | base64 -d)
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${decrypted_value}@${DB_HOST}:${DB_PORT}/${DB_NAME}
else
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
fi

/bin/graphql-engine  serve
picture mthota15 on 15 Aug 2019
👍2

All 2 comments

@mthota15 Can you not decrypt the password and provide it as an environment variable?

Our docker image is highly optimised and it will not be possible to install the required tools on that.

You'll have to build a custom docker image with a dockerfile that might look like this:

FROM hasura/graphql-engine:v1.0.0-beta.4 as base

FROM debian:stretch-20190228-slim

# install libpq (required by Hasura)
# also install aws-cli, jq etc
RUN apt-get -y update \
    && apt-get install -y libpq-dev \
    && apt-get -y auto-remove \
    && apt-get -y clean \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/share/doc/ \
    && rm -rf /usr/share/man/ \
    && rm -rf /usr/share/locale/

# copy hausra binary from base container
COPY --from=base /bin/graphql-engine /bin/graphql-engine

# write a startup script which decrypts the password and starts graphql engine
# command to start graphql engine is 
# graphql-engine --database-url <url> serve 
COPY start.sh /start.sh

CMD ["/start.sh"]

PS: this is not tested.

shahidhk picture shahidhk on 15 Aug 2019
👍2

Thanks @shahidhk, It helped.

Here is my Dockerfile

FROM hasura/graphql-engine:v1.0.0-beta.4 as base

FROM python:3.7-slim-stretch

RUN apt-get -y update \
    && apt-get install -y --no-install-recommends libpq-dev jq \
    && apt-get -y auto-remove \
    && apt-get -y clean \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/share/doc/ \
    && rm -rf /usr/share/man/ \
    && rm -rf /usr/share/locale/ \
    && pip install awscli

# copy hausra binary from base container
COPY --from=base /bin/graphql-engine /bin/graphql-engine

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

entrypoint.sh:

#!/bin/bash
set -e

DB_HOST=${DB_HOST:-postgres}
DB_PORT=${DB_PORT:-5432}
AWS_REGION=${AWS_REGION:-us-east-1}
DB_PASSWORD_ENCYPTED=${DB_PASSWORD_ENCYPTED:-false}

if [ -z "${DB_NAME}" ]; then
   echo "Must provide DB_NAME environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_USER}" ]; then
   echo "Must provide DB_USER environment variable. Exiting...."
   exit 1
fi

if [ -z "${DB_PASSWORD}" ]; then
   echo "Must provide DB_PASSWORD environment variable. Exiting...."
   exit 1
fi

if [ ${DB_PASSWORD_ENCYPTED} == "true" ]
then
    echo "loading KMS credentials"
    decrypted_value_base64=$( \
        aws --region ${AWS_REGION} kms decrypt \
          --ciphertext-blob fileb://<(echo "${DB_PASSWORD}" | base64 -d) \
          --query Plaintext \
          --output text
    )
    decrypted_value=$(echo $decrypted_value_base64 | base64 -d)
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${decrypted_value}@${DB_HOST}:${DB_PORT}/${DB_NAME}
else
    export HASURA_GRAPHQL_DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
fi

/bin/graphql-engine  serve
mthota15 picture mthota15 on 15 Aug 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

coco98 picture coco98  路  3Comments
jjangga0214 picture jjangga0214  路  3Comments
codepunkt picture codepunkt  路  3Comments
hooopo picture hooopo  路  3Comments
Fortidude picture Fortidude  路  3Comments