Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When running a container with DOCKER_STEPCA_INIT_PASSWORD_FILE set the Docker entrypoint.sh cat's the password file to /home/step/secrets/password & the file is world readable:

stepca:~$ ls -l secrets
total 516
-rw-------    1 step     step           314 May 14 00:03 intermediate_ca_key
-rw-r--r--    1 step     step        511875 May 14 00:02 password
-rw-------    1 step     step           314 May 14 00:03 root_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_host_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_user_ca_key

Why is this needed?

• For containers at least, a symlink is a better solution (which also works perfectly) - as the secret will usually be mounted in the container under /run/secrets/xxx with explicit permissions (possible in both docker & podman). This will work with the Dockerfile expecting to find the hardcoded /home/step/secrets/password & a container secret named anything.

• Moving the symlink creation out of init to run every time DOCKER_STEPCA_INIT_PASSWORD_FILE is set is probably also recommended for cases where the container is run with a different password file location.

• Am willing to make a PR if you agree with this approach.

• Running stepca with a 378,000 char podman secret works ok - example.

• I can also add to the PR a podman quadlet example .container file & run command.