From a6140fbc7679f6d355c3436250d3b73e984e211e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Teemu=20M=C3=A4kinen?= <teemu.makinen@vincit.fi>
Date: Wed, 6 Mar 2024 16:49:42 +0200
Subject: [PATCH] Modify read-secrets script to allow keeping values

If the SKIP_SET_VARIABLE_SECRET_OVERRIDE environment variable
is set, read-secrets.sh will not overwrite existing values by secrets.
---
 README.md              |  2 ++
 docker/read-secrets.sh | 12 +++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ba76c68..41a873e 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,8 @@ RUN curl -o /tmp/read-secrets.sh "https://raw.githubusercontent.com/HSLdevcom/jo
 CMD /bin/bash -c "source /tmp/read-secrets.sh && java -jar /.../xxx.jar"
 ```
 
+If the SKIP_SET_VARIABLE_SECRET_OVERRIDE environment variable is set, pre-exisiting values will not be overriden by secrets.
+
 ### download-docker-bundle.sh
 
 Downloads and extract the latest version of the docker bundle. It uses the `gh` github command line tool to retrieve the bundle from the releases.
diff --git a/docker/read-secrets.sh b/docker/read-secrets.sh
index 906a878..b4dbe9a 100644
--- a/docker/read-secrets.sh
+++ b/docker/read-secrets.sh
@@ -23,6 +23,8 @@ set -eu
 # FOO1=bar1
 # FOO2_BLABLA=bar2
 # FOO3_LOL=bar3.lolo
+#
+# If the $SKIP_SET_VARIABLE_SECRET_OVERRIDE environment variable is set, pre-exisiting values will not be overriden by secrets.
 
 # read docker secrets into environment variables
 SECRET_STORE_BASE_PATH="${SECRET_STORE_BASE_PATH:-/run/secrets}"
@@ -30,7 +32,11 @@ for SECRET_FILENAME in $(ls "$SECRET_STORE_BASE_PATH");
 do
     # replace non-alphanumeric characters with _ and convert to uppercase
     VAR_NAME=$(echo $SECRET_FILENAME | sed -E 's/[^a-zA-Z0-9]+/_/g' | tr a-z A-Z)
-    VAR_VALUE=$(cat "$SECRET_STORE_BASE_PATH/$SECRET_FILENAME")
-    export "$VAR_NAME"="$VAR_VALUE"
-    echo "Found secret '$SECRET_FILENAME', exported it as '$VAR_NAME' environment variable."
+    if [ ! -z "$SKIP_SET_VARIABLE_SECRET_OVERRIDE" ] && [ ! -z "$(printenv $VAR_NAME)" ]; then
+        echo "Secret environment value override disabled. Used existing value for '$VAR_NAME' environment variable."
+    else
+        VAR_VALUE=$(cat "$SECRET_STORE_BASE_PATH/$SECRET_FILENAME")
+        export "$VAR_NAME"="$VAR_VALUE"
+        echo "Found secret '$SECRET_FILENAME', exported it as '$VAR_NAME' environment variable."
+    fi
 done