feat(cli): Allow adding admin password using docker secrets aka file (#1199) (#1214)

api/cli/cli.go

@@ -21,7 +21,8 @@ const (
 	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
 	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
 	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
-	errNoAuthExcludeAdminPassword = portainer.Error("Cannot use --no-auth with --admin-password")
+	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
+	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )
 
 // ParseFlags parse the CLI flags and return a portainer.Flags struct
@@ -45,6 +46,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
 		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
 		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
+		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		// Deprecated flags
 		Labels:    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
@@ -77,10 +79,14 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 		return err
 	}
 
-	if *flags.NoAuth && (*flags.AdminPassword != "") {
+	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
 		return errNoAuthExcludeAdminPassword
 	}
 
+	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
+		return errAdminPassExcludeAdminPassFile
+	}
+
 	displayDeprecationWarnings(*flags.Templates, *flags.Logo, *flags.Labels)
 
 	return nil

api/cmd/portainer/main.go

@@ -212,12 +212,27 @@ func main() {
 		}
 	}
 
-	if *flags.AdminPassword != "" {
+	adminPasswordHash := ""
-		log.Printf("Creating admin user with password hash %s", *flags.AdminPassword)
+	if *flags.AdminPasswordFile != "" {
+		content, err := file.GetStringFromFile(*flags.AdminPasswordFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+		adminPasswordHash, err = cryptoService.Hash(content)
+		if err != nil {
+			log.Fatal(err)
+		}
+	} else if *flags.AdminPassword != "" {
+		adminPasswordHash = *flags.AdminPassword
+	}
+
+	if adminPasswordHash != "" {
+
+		log.Printf("Creating admin user with password hash %s", adminPasswordHash)
 		user := &portainer.User{
 			Username: "admin",
 			Role:     portainer.AdministratorRole,
-			Password: *flags.AdminPassword,
+			Password: adminPasswordHash,
 		}
 		err := store.UserService.CreateUser(user)
 		if err != nil {

api/file/file.go

@@ -1,6 +1,8 @@
 package file
 
 import (
+	"io/ioutil"
+
 	"github.com/portainer/portainer"
 
 	"io"
@@ -162,3 +164,13 @@ func (service *Service) createFileInStore(filePath string, r io.Reader) error {
 	}
 	return nil
 }
+
+// GetStringFromFile returns a string content from file.
+func GetStringFromFile(filePath string) (string, error) {
+	content, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return "", err
+	}
+
+	return string(content), nil
+}

api/portainer.go

@@ -27,6 +27,7 @@ type (
 		SSLCert           *string
 		SSLKey            *string
 		AdminPassword     *string
+		AdminPasswordFile *string
 		// Deprecated fields
 		Logo      *string
 		Templates *string