Skip to content

Add entrypoint.sh for key provisioning from env vars or auto-gen#60

Merged
rubenhensen merged 7 commits intomainfrom
feat/entrypoint-key-loading
Feb 26, 2026
Merged

Add entrypoint.sh for key provisioning from env vars or auto-gen#60
rubenhensen merged 7 commits intomainfrom
feat/entrypoint-key-loading

Conversation

@rubenhensen
Copy link
Contributor

@rubenhensen rubenhensen commented Feb 25, 2026
edited
Loading

Closes #59

Summary

  • Adds entrypoint.sh that runs before the PKG server to provision keys either from environment variables (Scaleway Secrets Manager → Kubernetes secrets) or by auto-generating them if no env vars are set.
  • Updates Dockerfile to copy and wire up the entrypoint, create a /keys directory owned by nonroot, and replace the old CMD with ENTRYPOINT.

Key loading behaviour

Env vars set? Behaviour
Yes (PKG_IBE_SECRET, PKG_IBE_PUBLIC, PKG_IBS_SECRET, PKG_IBS_PUBLIC) Decode from base64 → write to /keys/
No Run pg-pkg gen → generate fresh keys into /keys/

The server always starts with explicit --ibe-secret-path /keys/pkg_ibe.sec --ibe-public-path /keys/pkg_ibe.pub --ibs-secret-path /keys/pkg_ibs.sec --ibs-public-path /keys/pkg_ibs.pub.

Test plan

  • Build image and start without env vars — verify keys are generated and server starts
  • Build image and start with all four env vars set to base64-encoded key files — verify keys are written and server starts with the correct keys
  • Verify pod restart with the same env vars serves the same public key

@rubenhensen
Add entrypoint.sh for key provisioning from env vars or auto-gen
bd94008 
Closes #59

On startup, load PKG keys from environment variables (PKG_IBE_SECRET,
PKG_IBE_PUBLIC, PKG_IBS_SECRET, PKG_IBS_PUBLIC) supplied via Scaleway
Secrets Manager / Kubernetes secrets. If no env vars are set, generate
a fresh key pair with pg-pkg gen. The server is always started with
explicit --ibe-*/--ibs-* path flags pointing to /keys/.
@rubenhensen
Remove base64 decode
38c3f97
@rubenhensen
Check for existing key files instead of env vars in entrypoint
5162815
@rubenhensen
Remove chmod on existing keys: Kubernetes mounts secrets read-only
065e13c
@rubenhensen
Add curl for health check
cfce500
@rubenhensen
Debug: cat key files on startup to inspect content
5413099
@rubenhensen
Load keys from base64-encoded env vars, decode to /tmp/keys at startup
2a2e18e
@rubenhensen rubenhensen merged commit 3cd1b07 into main Feb 26, 2026
12 checks passed
@rubenhensen rubenhensen deleted the feat/entrypoint-key-loading branch February 26, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w-ensink w-ensink w-ensink approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Load PKG keys from Kubernetes secrets (Scaleway Secrets Manager)

2 participants

@rubenhensen @w-ensink