From a26d90efaf7b67108ce7b6da84e76230b5a76b23 Mon Sep 17 00:00:00 2001
From: Francisco Tomas Olivo Leon <ftolivo@odilo.us>
Date: Mon, 5 Aug 2024 23:03:19 +0200
Subject: [PATCH 1/2] Added environment variable for Docker secret name

---
 docker-build/9.0.5.x/Dockerfile-ubi8     | 1 +
 docker-build/9.0.5.x/Dockerfile.ipla     | 1 +
 docker-build/9.0.5.x/Dockerfile.ipla-rec | 1 +
 docker-build/9.0.5.x/Dockerfile.offline  | 1 +
 4 files changed, 4 insertions(+)

diff --git a/docker-build/9.0.5.x/Dockerfile-ubi8 b/docker-build/9.0.5.x/Dockerfile-ubi8
index 46b5e69..b92ae15 100644
--- a/docker-build/9.0.5.x/Dockerfile-ubi8
+++ b/docker-build/9.0.5.x/Dockerfile-ubi8
@@ -94,6 +94,7 @@ ENV PATH=/opt/IBM/WebSphere/AppServer/bin:${PATH} \
     PROFILE_NAME=$PROFILE_NAME \
     SERVER_NAME=$SERVER_NAME \
     ADMIN_USER_NAME=$ADMIN_USER_NAME \
+    SECRET_NAME=$SECRET_NAME \
     EXTRACT_PORT_FROM_HOST_HEADER=true
 
 RUN /work/create_profile.sh \
diff --git a/docker-build/9.0.5.x/Dockerfile.ipla b/docker-build/9.0.5.x/Dockerfile.ipla
index 7349dcd..22516f7 100644
--- a/docker-build/9.0.5.x/Dockerfile.ipla
+++ b/docker-build/9.0.5.x/Dockerfile.ipla
@@ -94,6 +94,7 @@ ENV PATH=/opt/IBM/WebSphere/AppServer/bin:${PATH} \
     PROFILE_NAME=$PROFILE_NAME \
     SERVER_NAME=$SERVER_NAME \
     ADMIN_USER_NAME=$ADMIN_USER_NAME \
+    SECRET_NAME=$SECRET_NAME \
     EXTRACT_PORT_FROM_HOST_HEADER=true
 
 RUN /work/create_profile.sh \
diff --git a/docker-build/9.0.5.x/Dockerfile.ipla-rec b/docker-build/9.0.5.x/Dockerfile.ipla-rec
index ecc97c1..6f723ed 100644
--- a/docker-build/9.0.5.x/Dockerfile.ipla-rec
+++ b/docker-build/9.0.5.x/Dockerfile.ipla-rec
@@ -94,6 +94,7 @@ ENV PATH=/opt/IBM/WebSphere/AppServer/bin:${PATH} \
     PROFILE_NAME=$PROFILE_NAME \
     SERVER_NAME=$SERVER_NAME \
     ADMIN_USER_NAME=$ADMIN_USER_NAME \
+    SECRET_NAME=$SECRET_NAME \
     EXTRACT_PORT_FROM_HOST_HEADER=true
 
 RUN /work/create_profile.sh \
diff --git a/docker-build/9.0.5.x/Dockerfile.offline b/docker-build/9.0.5.x/Dockerfile.offline
index 3e44f86..06c43e7 100644
--- a/docker-build/9.0.5.x/Dockerfile.offline
+++ b/docker-build/9.0.5.x/Dockerfile.offline
@@ -63,6 +63,7 @@ ENV PATH=/opt/IBM/WebSphere/AppServer/bin:${PATH} \
     PROFILE_NAME=$PROFILE_NAME \
     SERVER_NAME=$SERVER_NAME \
     ADMIN_USER_NAME=$ADMIN_USER_NAME \
+    SECRET_NAME=$SECRET_NAME \
     EXTRACT_PORT_FROM_HOST_HEADER=true
 
 RUN /work/create_profile.sh \

From 5f777311f09fcd0ce842da79b8862641720c7865 Mon Sep 17 00:00:00 2001
From: Francisco Tomas Olivo Leon <ftolivo@odilo.us>
Date: Mon, 5 Aug 2024 23:03:25 +0200
Subject: [PATCH 2/2] Refactored set_password script for Docker secret query
 and WAS password value setting

---
 docker-build/9.0.5.x/scripts/set_password.sh | 29 ++++++++++++--------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/docker-build/9.0.5.x/scripts/set_password.sh b/docker-build/9.0.5.x/scripts/set_password.sh
index 5cdffd8..c2ae15f 100644
--- a/docker-build/9.0.5.x/scripts/set_password.sh
+++ b/docker-build/9.0.5.x/scripts/set_password.sh
@@ -1,24 +1,31 @@
 #!/bin/bash
 #####################################################################################
 #                                                                                   #
-#  Script to set the wsadmin password.                                              #
-#  If a value exists in /tmp/PASSWORD that value will be used,                      #
-#  otherwise a random value will be generated and used (and also                    #
-#  persisted in /tmp/PASSWORD).                                                     #
+#  Script to set the wsadmin password. There are three ways to obtain the value:    #
+#   - Docker secret (preferred).                                                    #
+#   - Content of /tmp/PASSWORD (defined in the previous runtime).                   #
+#   - Random value (fallback).                                                      #
 #                                                                                   #
 #  Usage : set_password                                                             #
 #                                                                                   #
 #####################################################################################
 
 ADMIN_USER_NAME=${ADMIN_USER_NAME:-"wsadmin"}
+SECRET_ROOT='/run/secrets'
+SECRET_NAME=${SECRET_NAME:-"wsadmin_password"}
+WAS_PASSWD_FILE='/tmp/PASSWORD'
+WAS_UPD_PASSWD_FILE='/tmp/passwordupdated'
+
+if [ -f ${SECRET_ROOT}/${SECRET_NAME} ]; then
+  password="$(cat ${SECRET_ROOT}/${SECRET_NAME})"
+
+elif [ -f $WAS_PASSWD_FILE ]; then
+  password="$(cat $WAS_PASSWD_FILE)"
 
-if [ -f /tmp/PASSWORD ]
-then
-  password=$(cat /tmp/PASSWORD)
 else
-  password=$(openssl rand -base64 6)
-  echo $password > /tmp/PASSWORD
+  password="$(openssl rand -base64 6)"
+  echo "$password" > $WAS_PASSWD_FILE
 fi
 
-/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -conntype NONE -f /work/updatePassword.py $ADMIN_USER_NAME $password > /dev/null 2>&1
-echo $password > /tmp/passwordupdated
+/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -conntype NONE -f /work/updatePassword.py "$ADMIN_USER_NAME" "$password" > /dev/null 2>&1
+echo "$password" > $WAS_UPD_PASSWD_FILE
\ No newline at end of file