Container password security issue

Hey, I’m running a Docker container inside a Kubernetes pod and I have an issue with generating a password for the admin user.

So previously I’ve been using a static password for testing out my deployment and getting our application to work, and using that setup everything works just fine. The Dockerfile runs a user & password gen. script, then it runs a jboss-cli.sh script to embed the server:

# user/password
/opt/keycloak-4.8.3.Final/bin/add-user-keycloak.sh --user admin --password $PASSWORD --realm master
# jboss embed script
/opt/keycloak-4.8.3.Final/bin/jboss-cli.sh 'embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)'
/opt/keycloak-4.8.3.Final/bin/jboss-cli.sh 'embed-server,/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=8443)'
/opt/keycloak-4.8.3.Final/bin/jboss-cli.sh 'embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)'

The only problem here is that any password, even, a randomly generated one, gets pushed up to Dockerhub. Which is insecure.

I’ve tried using Supervisord to generate a random base64 password and then run the above commands at container startup, rather than in the Dockerfile. Only problem is that it always seems to break Apache inside the container, or I can’t access the admin console due to a “bad redirect uri”.

Any idea how to get around this? Thanks for the help.

I don’t see why it should be in the Dockerfile. Use it in the entrypoint script and configure password from env variable, when container is starting. That’s already implemented in the official Docker images:

Okay yeah I see, well I’m running supervisord as my entrypoint, and then supervisor runs a startup script after that but it’s still not working. That’s a good idea though, I could try running it in the entrypoint beside supervisor.

CMD ["/bin/sh", "-c", "/usr/bin/supervisord -c /etc/supervisord.conf"]

# Startup Script

#!/bin/bash
export PASSWORD="$(cat /secret-volume/password)"
/opt/keycloak-4.8.3.Final/bin/add-user-keycloak.sh --user admin --password $PASSWORD --realm master
...