feat(encryption): enable at-rest encryption by default (#29)

andrewazores · web-flow · commit 542b20fc819a · 2024-10-15T16:21:37.000-04:00
* feat(encryption): enable at-rest encryption by default

* remove unused testing file

* configurable filer allowed origins
diff --git a/cryostat-entrypoint.bash b/cryostat-entrypoint.bash
@@ -63,11 +63,28 @@ STORAGE_CAPACITY=${STORAGE_CAPACITY:-${AVAILABLE_DISK_BYTES}}
 STORAGE_CAPACITY_BYTES=$(echo "${STORAGE_CAPACITY}" | numfmt --from=iec --suffix=B | tr -d 'B')
 VOLUME_SIZE_BYTES=$(( "${STORAGE_CAPACITY_BYTES}" / "${NUM_VOLUMES}" ))
 
+FLAGS=(
+    "-filer.allowedOrigins=${FILER_ORIGINS:-0.0.0.0}"
+)
+
+if [ "${DIR_LISTING_ENABLE:-0}" != 1 ]; then
+    FLAGS+=(
+        "-filer.exposeDirectoryData=false"
+        "-filer.disableDirListing"
+        "-webdav=false"
+    )
+fi
+
+if [ "${REST_ENCRYPTION_ENABLE:-1}" = 1 ]; then
+    FLAGS+=("-filer.encryptVolumeData")
+fi
+
 exec weed -logtostderr=true server \
     -dir="${DATA_DIR}" \
     -volume.max=${NUM_VOLUMES} \
     -volume.fileSizeLimitMB="${FILE_SIZE_LIMIT_MB:-4096}" \
     -master.volumeSizeLimitMB="$(( "${VOLUME_SIZE_BYTES}" / 1024 / 1024 ))" \
     -master.volumePreallocate="${VOLUME_PREALLOCATE:-false}" \
+    ${FLAGS[*]} \
     -s3 -s3.config="${cfg}" \
     "$@"
