fix(docker): use envsubst template pattern — no hardcoded URLs or keys (MS22-P1a)

2026-03-01 07:54:28 -06:00
parent 256171cc62
commit 11136e2f23
11 changed files with 193 additions and 12 deletions
--- a/docker/openclaw-instances/entrypoint.sh
+++ b/docker/openclaw-instances/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# OpenClaw container entrypoint — renders config template via envsubst then starts gateway
+set -e
+
+TEMPLATE="/config/openclaw.json.template"
+CONFIG="/tmp/openclaw.json"
+
+if [ ! -f "$TEMPLATE" ]; then
+  echo "ERROR: Config template not found at $TEMPLATE"
+  exit 1
+fi
+
+# Validate required env vars
+: "${ZAI_API_KEY:?ZAI_API_KEY is required}"
+: "${OPENCLAW_GATEWAY_TOKEN:?OPENCLAW_GATEWAY_TOKEN is required}"
+: "${OLLAMA_BASE_URL:?OLLAMA_BASE_URL is required (e.g. http://10.1.1.42:11434)}"
+
+# Render template -> final config (no hardcoded values in image or volumes)
+envsubst < "$TEMPLATE" > "$CONFIG"
+
+export OPENCLAW_CONFIG_PATH="$CONFIG"
+
+exec openclaw gateway run --bind lan --auth token "$@"
--- a/docker/openclaw-instances/jarvis-main.env
+++ b/docker/openclaw-instances/jarvis-main.env
@@ -1,3 +1,4 @@
 OPENCLAW_CONFIG_PATH=/config/openclaw.json
 ZAI_API_KEY=REPLACE_WITH_ZAI_API_KEY
 OPENCLAW_GATEWAY_TOKEN=REPLACE_WITH_UNIQUE_GATEWAY_TOKEN
+OLLAMA_BASE_URL=REPLACE_WITH_OLLAMA_BASE_URL
--- a/docker/openclaw-instances/jarvis-main.json.template
+++ b/docker/openclaw-instances/jarvis-main.json.template
@@ -22,7 +22,7 @@
    "mode": "merge",
    "providers": {
      "ollama": {
-        "baseUrl": "http://10.1.1.42:11434/v1",
+        "baseUrl": "${OLLAMA_BASE_URL}/v1",
        "api": "openai-completions",
        "models": [
          {
--- a/docker/openclaw-instances/jarvis-operations.env
+++ b/docker/openclaw-instances/jarvis-operations.env
@@ -1,3 +1,4 @@
 OPENCLAW_CONFIG_PATH=/config/openclaw.json
 ZAI_API_KEY=REPLACE_WITH_ZAI_API_KEY
 OPENCLAW_GATEWAY_TOKEN=REPLACE_WITH_UNIQUE_GATEWAY_TOKEN
+OLLAMA_BASE_URL=REPLACE_WITH_OLLAMA_BASE_URL
--- a/docker/openclaw-instances/jarvis-operations.json.template
+++ b/docker/openclaw-instances/jarvis-operations.json.template
@@ -21,7 +21,7 @@
    "mode": "merge",
    "providers": {
      "ollama": {
-        "baseUrl": "http://10.1.1.42:11434/v1",
+        "baseUrl": "${OLLAMA_BASE_URL}/v1",
        "api": "openai-completions",
        "models": [
          {
--- a/docker/openclaw-instances/jarvis-projects.env
+++ b/docker/openclaw-instances/jarvis-projects.env
@@ -1,3 +1,4 @@
 OPENCLAW_CONFIG_PATH=/config/openclaw.json
 ZAI_API_KEY=REPLACE_WITH_ZAI_API_KEY
 OPENCLAW_GATEWAY_TOKEN=REPLACE_WITH_UNIQUE_GATEWAY_TOKEN
+OLLAMA_BASE_URL=REPLACE_WITH_OLLAMA_BASE_URL
--- a/docker/openclaw-instances/jarvis-projects.json.template
+++ b/docker/openclaw-instances/jarvis-projects.json.template
@@ -20,7 +20,7 @@
    "mode": "merge",
    "providers": {
      "ollama": {
-        "baseUrl": "http://10.1.1.42:11434/v1",
+        "baseUrl": "${OLLAMA_BASE_URL}/v1",
        "api": "openai-completions",
        "models": [
          {
--- a/docker/openclaw-instances/jarvis-research.env
+++ b/docker/openclaw-instances/jarvis-research.env
@@ -1,3 +1,4 @@
 OPENCLAW_CONFIG_PATH=/config/openclaw.json
 ZAI_API_KEY=REPLACE_WITH_ZAI_API_KEY
 OPENCLAW_GATEWAY_TOKEN=REPLACE_WITH_UNIQUE_GATEWAY_TOKEN
+OLLAMA_BASE_URL=REPLACE_WITH_OLLAMA_BASE_URL
--- a/docker/openclaw-instances/jarvis-research.json.template
+++ b/docker/openclaw-instances/jarvis-research.json.template
@@ -20,7 +20,7 @@
    "mode": "merge",
    "providers": {
      "ollama": {
-        "baseUrl": "http://10.1.1.42:11434/v1",
+        "baseUrl": "${OLLAMA_BASE_URL}/v1",
        "api": "openai-completions",
        "models": [
          {