Make unsetting sensitive vars optional

README.md

@@ -319,6 +319,12 @@ management technology, and is beyond the scope of this documentation.
    Define whether to set home directory permissions on startup. Set to `false` to disable
    this behaviour.
 
+* `ATL_UNSET_SENSITIVE_ENV_VARS` (default: true)
+
+   Define whether to unset environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN'.
+   The unset function is executed in the entrypoint. Set to `false` if you want to allow passing
+   sensitive environment variables to Confluence container.
+
 ## Advanced Configuration
 
 As mentioned at the top of this section, the settings from the environment are

entrypoint.py

@@ -8,6 +8,7 @@ RUN_GROUP = env['run_group']
 CONFLUENCE_INSTALL_DIR = env['confluence_install_dir']
 CONFLUENCE_HOME = env['confluence_home']
 UPDATE_CFG = str2bool_or(env.get('atl_force_cfg_update'), False)
+UNSET_SENSITIVE_VARS = str2bool_or(env.get('atl_unset_sensitive_env_vars'), True)
 
 gen_cfg('server.xml.j2', f'{CONFLUENCE_INSTALL_DIR}/conf/server.xml')
 gen_cfg('seraph-config.xml.j2',
@@ -18,4 +19,4 @@ gen_cfg('confluence.cfg.xml.j2', f'{CONFLUENCE_HOME}/confluence.cfg.xml',
         user=RUN_USER, group=RUN_GROUP, overwrite=UPDATE_CFG)
 
 exec_app([f'{CONFLUENCE_INSTALL_DIR}/bin/start-confluence.sh', '-fg'], CONFLUENCE_HOME,
-         name='Confluence', env_cleanup=True)
+         name='Confluence', env_cleanup=UNSET_SENSITIVE_VARS)

tests/test_image.py

@@ -1,6 +1,8 @@
 import pytest
 import signal
 import testinfra
+from iterators import TimeoutIterator
+import re
 
 from helpers import get_app_home, get_app_install_dir, get_bootstrap_proc, get_procs, \
     parse_properties, parse_xml, run_image, \
@@ -575,3 +577,33 @@ def test_confluence_db_pool_property(docker_cli, image, version, db_property):
     for property, expected_value in expected.items():
         assert xml.findall(f'.//property[@name="{property}"]')[0].text == expected_value
 
+
+def test_unset_secure_vars(docker_cli, image, run_user):
+    environment = {
+        'MY_TOKEN': 'tokenvalue',
+    }
+    container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
+                                          ports={PORT: PORT})
+    wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
+    var_unset_log_line = 'Unsetting environment var MY_TOKEN'
+    wait_for_log(container, var_unset_log_line)
+
+
+def test_skip_unset_secure_vars(docker_cli, image, run_user):
+    environment = {
+        'MY_TOKEN': 'tokenvalue',
+        'ATL_UNSET_SENSITIVE_ENV_VARS': 'false',
+    }
+    container = docker_cli.containers.run(image, detach=True, user=run_user, environment=environment,
+                                          ports={PORT: PORT})
+    wait_for_state(STATUS_URL, expected_state='FIRST_RUN')
+    var_unset_log_line = 'Unsetting environment var MY_TOKEN'
+    rpat = re.compile(var_unset_log_line)
+    logs = container.logs(stream=True, follow=True)
+    li = TimeoutIterator(logs, timeout=1)
+    for line in li:
+        if line == li.get_sentinel():
+            return
+        line = line.decode('UTF-8')
+        if rpat.search(line):
+            raise EOFError(f"Found unexpected log line '{var_unset_log_line}'")