Merged in DCCLIP-586-introduce-secret-store-class (pull request #143)

DCCLIP-586 introduce secret store class Approved-by: Eugene Ivantsov Approved-by: Jun Jeong Approved-by: Minh Tran Approved-by: Adam Brokes Approved-by: Dylan Rathbone
2024-08-30 18:22:16 +00:00 · 2023-10-09 03:09:55 +00:00 · 2023-10-09 03:09:55 +00:00 · 2778ec1123
commit 2778ec1123
parent cda8d93331 b3ff0a97bc
3 changed files with 45 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -160,7 +160,7 @@ Example:

    docker run -e JVM_SUPPORT_RECOMMENDED_ARGS=-Djavax.net.ssl.trustStore=/var/atlassian/application-data/confluence/cacerts -v confluenceVolume:/var/atlassian/application-data/confluence --name="confluence" -d -p 8090:8090 -p 8091:8091 atlassian/confluence

-    For additional settings that can be supplied, see: [Recognized System Properties](https://confluence.atlassian.com/doc/recognized-system-properties-190430.html)
+For additional settings that can be supplied, see: [Recognized System Properties](https://confluence.atlassian.com/doc/recognized-system-properties-190430.html)

 ## Confluence-specific settings

@ -233,6 +233,28 @@ page.

 ### Optional database settings

+* `ATL_JDBC_SECRET_CLASS`
+
+[Encryption class](https://confluence.atlassian.com/doc/encrypt-database-password-1115674739.html) for the database password.
+Depending on the secret class, the value of `ATL_JDBC_PASSWORD` will differ. Defaults to plaintext. 
+
+**WARNING:** JDBC encryption can only be used with Confluence instances that have already been set up.
+
+Starting from 8.6 [AWS SecretsManager](https://confluence.atlassian.com/doc/configuring-confluence-with-aws-secrets-manager-1299911239.html) is supported.
+
+For non-clustered Confluence, manually edit `jdbc.password.decrypter.classname` and `hibernate.connection.password` properties as instructed by  step 5 of official [documentation](https://confluence.atlassian.com/doc/configuring-confluence-with-aws-secrets-manager-1299911239.html), then restart container. 
+
+For clustered Confluence, set this property while making sure environment variables in [cluster configuration](#cluster-configuration) are kept intact as well. 
+Example:
+
+    docker run -v /data/your-confluence-home:/var/atlassian/application-data/confluence \
+    --name="confluence" -d -p 8090:8090 -p 8091:8091 \
+    -e ATL_JDBC_SECRET_CLASS='com.atlassian.secrets.store.aws.AwsSecretsManagerStore' \
+    -e ATL_JDBC_PASSWORD='{"region": "us-east-1", "secretId": "mysecret", "secretPointer": "password"}' \
+    -e ATL_CLUSTER_RELATED_VARIABLES='variable-value' \
+    atlassian/confluence
+
+
 The following variables are for the database connection pool, and are
 optional.

--- a/config/confluence.cfg.xml.j2
+++ b/config/confluence.cfg.xml.j2
@ -26,6 +26,9 @@

      <property name="hibernate.connection.url">{{ atl_jdbc_url }}</property>
      <property name="hibernate.connection.username">{{ atl_jdbc_user }}</property>
+      {% if atl_jdbc_secret_class is defined %}
+      <property name="jdbc.password.decrypter.classname">{{ atl_jdbc_secret_class }}</property>
+      {% endif %}
      <property name="hibernate.connection.password">{{ atl_jdbc_password }}</property>
      <property name="hibernate.connection.driver_class">{{ databases[atl_db_type][0] }}</property>
      <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.{{ databases[atl_db_type][1] }}</property>
--- a/tests/test_image.py
+++ b/tests/test_image.py
@ -306,7 +306,6 @@ def test_confluence_xml_postgres_all_set(docker_cli, image, run_user):
    assert xml.findall('.//property[@name="hibernate.connection.provider_class"]')[0].text == "com.example.class"


-
 def test_confluence_xml_postgres_c3p0(docker_cli, image, run_user):
    environment = {
        'CONFLUENCE_VERSION': '7.10.0',
@ -368,6 +367,25 @@ def test_confluence_xml_postgres_all_set_c3p0(docker_cli, image, run_user):
    assert xml.findall('.//property[@name="hibernate.c3p0.preferredTestQuery"]')[0].text == "xselect 1"


+def test_confluence_xml_secretsmanager(docker_cli, image, run_user):
+    environment = {
+        'ATL_DB_TYPE': 'postgresql',
+        'ATL_JDBC_URL': 'atl_jdbc_url',
+        'ATL_JDBC_USER': 'atl_jdbc_user',
+        'ATL_JDBC_SECRET_CLASS': 'com.atlassian.secrets.store.aws.AwsSecretsManagerStore',
+        'ATL_JDBC_PASSWORD': '{"region": "us-east-1", "secretId": "mysecret"}',
+    }
+    container = run_image(docker_cli, image, user=run_user, environment=environment)
+    _jvm = wait_for_proc(container, get_bootstrap_proc(container))
+
+    xml = parse_xml(container, f'{get_app_home(container)}/confluence.cfg.xml')
+    assert xml.findall('.//property[@name="hibernate.connection.url"]')[0].text == "atl_jdbc_url"
+    assert xml.findall('.//property[@name="hibernate.connection.username"]')[0].text == "atl_jdbc_user"
+    assert xml.findall('.//property[@name="hibernate.connection.password"]')[0].text == '{"region": "us-east-1", "secretId": "mysecret"}'
+    assert xml.findall('.//property[@name="jdbc.password.decrypter.classname"]')[0].text == "com.atlassian.secrets.store.aws.AwsSecretsManagerStore"
+    assert xml.findall('.//property[@name="hibernate.connection.driver_class"]')[0].text == "org.postgresql.Driver"
+
+
 def test_confluence_xml_cluster_aws(docker_cli, image, run_user):
    environment = {
        'ATL_CLUSTER_TYPE': 'aws',