diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1d61cfd5deab69f4b7b095a01e62a6f43e05ae46..1ed7a2f216a0b33512e459221b3a7dfa8c10eec1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,14 +1,14 @@
image: docker:stable
services:
- docker:dind
-
+
stages:
- metabuild
- build
- - static_tests
- - dynamic_tests
+ - static_tests
+ - dynamic_tests
- deployment
-
+
# build the container that further steps will run in in order to avoid duplicating instructions between steps
metabuild:
stage: metabuild
@@ -23,10 +23,11 @@ metabuild:
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
-
+
# build the container that was modified
build:
stage: build
@@ -38,11 +39,12 @@ build:
- docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA
- docker push $REGISTRY/ci-builds/$CI_COMMIT_SHA
after_script:
- - docker logout $REGISTRY
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
@@ -62,8 +64,8 @@ clair:
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA
+ - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
+ - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA
artifacts:
paths:
- clair-report.json
@@ -72,6 +74,7 @@ clair:
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
@@ -86,13 +89,13 @@ docker-bench-security:
- docker logout $REGISTRY
- source /etc/profile.d/ci-variables
- sed -i -e "s/$MODIFIED_IMAGE_FULL/$REGISTRY\/ci-builds\/$CI_COMMIT_SHA:latest/g" $MODIFIED_IMAGE/docker-compose.yml
- # remove links to external networks to be able to start the container locally
- - sed -i -e '/networks/,+3d' $MODIFIED_IMAGE/docker-compose.yml
- script:
# if secrets.example files exist, remove the .example extension to be able to start the container
- - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
+ - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/*.example ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
+ # let docker-compose create the required volumes and networks
+ - "sed -i -e 's/external: true/external: false/g' $MODIFIED_IMAGE/docker-compose.yml"
+ - cat $MODIFIED_IMAGE/docker-compose.yml
+ script:
- cd $MODIFIED_IMAGE
- - docker volume create $CONTAINER_NAME
- docker-compose up -d
- git clone https://github.com/docker/docker-bench-security.git
- cd docker-bench-security
@@ -101,19 +104,22 @@ docker-bench-security:
paths:
- report.txt
after_script:
- - docker logout $REGISTRY
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
# automatically deploy the container on pica01-test
-deployment-test:
+deployment-test:
stage: deployment
image: $REGISTRY/pica-ci:latest
+ variables:
+ PICA_ENVIRONMENT: "TEST"
before_script:
- source /etc/profile.d/ci-variables
- export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
@@ -123,13 +129,15 @@ deployment-test:
- echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
- echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
- echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
- script:
- - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - chmod +x decrypt-secrets.sh
+ - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $MODIFIED_IMAGE_FULL
+ script:
- cd $MODIFIED_IMAGE
- sed -i -e s/picasoft.net/test.picasoft.net/g docker-compose.yml
- - if [[ $(docker container ls --format "{{.Names}}" | grep $CONTAINER_NAME) ]]; then docker stop $CONTAINER_NAME | xargs docker rm; fi
+ - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
- docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
after_script:
- rm -rf $DOCKER_CERT_PATH
@@ -138,15 +146,18 @@ deployment-test:
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
# automatically deploy the container on the production host associated with the modified image
# this will only happen after manually triggering the deployment
-deployment-prod:
+deployment-prod:
stage: deployment
image: $REGISTRY/pica-ci:latest
+ variables:
+ PICA_ENVIRONMENT: "PRODUCTION"
before_script:
- source /etc/profile.d/ci-variables
- TMP_DOCKER_CA_CERT="${HOST}_DOCKER_CA_CERT" && eval DOCKER_CA_CERT_VARIABLE=\$$TMP_DOCKER_CA_CERT
@@ -159,12 +170,14 @@ deployment-prod:
- echo "$DOCKER_CA_CERT_VARIABLE" > $DOCKER_CERT_PATH/ca.pem
- echo "$DOCKER_CLIENT_CERT_VARIABLE" > $DOCKER_CERT_PATH/cert.pem
- echo "$DOCKER_CLIENT_KEY_VARIABLE" > $DOCKER_CERT_PATH/key.pem
- script:
+ - chmod +x decrypt-secrets.sh
+ - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $MODIFIED_IMAGE_FULL
+ script:
- cd $MODIFIED_IMAGE
- - if [[ $(docker container ls --format "{{.Names}}" | grep $CONTAINER_NAME) ]]; then docker stop $CONTAINER_NAME | xargs docker rm; fi
+ - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
- docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
after_script:
- docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
@@ -175,7 +188,8 @@ deployment-prod:
only:
changes:
- "pica-dokuwiki/*"
+ - "pica-etherpad/*"
refs:
- master
- dev-ci
- when: manual
\ No newline at end of file
+ when: manual
diff --git a/decrypt-secrets.sh b/decrypt-secrets.sh
new file mode 100644
index 0000000000000000000000000000000000000000..eaa4d9a32b2f09a77c65cf2496fc5c22b0f0e561
--- /dev/null
+++ b/decrypt-secrets.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# import the PGP key for the right environment
+if [ "$PICA_ENVIRONMENT" = "TEST" ];
+then
+ echo "$PRIVATE_GPG_KEY_TEST" > /tmp/pgp-key
+elif [ "$PICA_ENVIRONMENT" = "PRODUCTION" ];
+then
+ echo "$PRIVATE_GPG_KEY_PRODUCTION" > /tmp/pgp-key
+else
+ exit -1
+fi
+cat /tmp/pgp-key | gpg --import
+
+# decrypt the secrets
+SECRETS_PATH=$MODIFIED_IMAGE/secrets/encrypted-variables-$(echo $PICA_ENVIRONMENT | tr '[:upper:]' '[:lower:]')
+echo $SECRETS_PATH
+
+for container_secrets_folder in $SECRETS_PATH/*;
+do
+ CONTAINER_NAME=$(basename $container_secrets_folder)
+ for encrypted_secret in $container_secrets_folder/*;
+ do
+ SECRET_NAME=$(basename $encrypted_secret)
+ ( echo -n "$SECRET_NAME=" ; gpg --quiet --decrypt $encrypted_secret ) >> $MODIFIED_IMAGE/secrets/$CONTAINER_NAME.secrets
+ done
+done
+
+ls -al pica-etherpad/secrets/
\ No newline at end of file
diff --git a/pica-ci/Dockerfile b/pica-ci/Dockerfile
index 97928e0a353842f8d05a5e980e9a64d860abbfe6..4514e10052c3d73efbca9f2a7cae6a22178e6cd7 100644
--- a/pica-ci/Dockerfile
+++ b/pica-ci/Dockerfile
@@ -5,6 +5,7 @@ COPY . /workdir/
RUN apk update && \
apk add build-base \
git \
+ gnupg \
iproute2 \
libffi-dev \
openssl-dev \
@@ -13,7 +14,7 @@ RUN apk update && \
sed \
wget && \
pip install docker-compose && \
- chmod +x get-modified-image.sh get-host-by-image.sh && \
+ chmod +x get-modified-image.sh get-host-by-image.sh decrypt-secrets.sh && \
export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) && \
export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) && \
export CONTAINER_NAME=$(cat $MODIFIED_IMAGE/docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1 | xargs) && \
diff --git a/pica-dokuwiki/clair-whitelist.yml b/pica-dokuwiki/clair-whitelist.yml
index 32be8c2f1934908a7923d8ac1c4054d3c31dabd5..6c0c6e6e16c9f7759c418b32166917e7cb9c18fb 100644
--- a/pica-dokuwiki/clair-whitelist.yml
+++ b/pica-dokuwiki/clair-whitelist.yml
@@ -8,4 +8,4 @@ generalwhitelist:
CVE-2017-12424: shadow -> Pas de contre-mesure
CVE-2016-2779: util-linux -> Pas de contre-mesure
CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
- CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file
+ CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file
diff --git a/pica-etherpad/clair-whitelist.yml b/pica-etherpad/clair-whitelist.yml
index 472535f1194cff77927e7c9a43a1ba91b9603c8f..5dbddc2009c856f6b8c914e2e4b960bb39c5de86 100644
--- a/pica-etherpad/clair-whitelist.yml
+++ b/pica-etherpad/clair-whitelist.yml
@@ -1,23 +1,11 @@
generalwhitelist:
CVE-2017-14062: libidn11 -> pas de contre mesure disponible pour stretch
- CVE-2019-3823: curl -> non affecté, le paquet qui contient la contre mesure est installé à la place de celui qui est vulnérable cf logs
- CVE-2019-3822: curl -> idem
- CVE-2018-1000654: libtasn1-6 -> Pas de contre mesure disponible
- CVE-2016-9841: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
- CVE-2016-2774: isc-dhcp -> Le paquet qui corrige le problème n'est pas backporté, et DHCP n'est probablement même pas utilisé par le conteneur -> Pas de contre mesure
- CVE-2016-9843: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
CVE-2016-2779: util-linux -> Vulnérabilité Linux
CVE-2017-10788: libdbd-mysql-perl -> Bug qui semble nécessiter que la base de données soit accessible par le réseau ce qui n'est pas le cas -> Non affecté
CVE-2018-6485: glibc -> Pas de contre mesure
- CVE-2017-16997: glibc -> Pas de contre mesure
- CVE-2017-18269: glibc -> Pas de contre mesure
- CVE-2017-15670: glibc -> Pas de contre mesure
CVE-2018-6551: glibc -> Pas de contre mesure
CVE-2018-1000001: glibc -> Pas de contre mesure
- CVE-2017-1000408: glibc -> Pas de contre mesure
- CVE-2017-15804: glibc -> Pas de contre mesure
CVE-2019-9169: glibc -> Pas de contre mesure
CVE-2017-12424: shadow -> Pas de contre mesure
- CVE-2018-6954: systemd -> Pas de contre mesure
- CVE-2018-15686: systemd -> Pas de contre mesure
- CVE-2018-6797: Perl est une dépendance du client mysql et la version non vulnérable dans stretch n'a pas été backportée -> Pas de contre-mesure
\ No newline at end of file
+ CVE-2019-11068: libxslt -> dépendance d'autres paquets, pas de correctif disponible -> Pas de contre-mesure
+ CVE-2019-9631: poppler -> à désinstaller
\ No newline at end of file
diff --git a/pica-etherpad/docker-compose.yml b/pica-etherpad/docker-compose.yml
index f519eec6edfd62011d7161fefe016278e80e39e5..daf375784cb2144c90ce7a98647b4e937c6fbb1d 100755
--- a/pica-etherpad/docker-compose.yml
+++ b/pica-etherpad/docker-compose.yml
@@ -1,8 +1,21 @@
version : "2.4"
+
+volumes:
+ etherpad-db-volume:
+ external: true
+ name: "etherpad-db"
+
+networks:
+ docker_default:
+ external: true
+ name: "docker_default"
+
services:
etherpad-app:
image: pica-etherpad:1.7.5
container_name: etherpad-app
+ depends_on:
+ - etherpad-db
links:
- etherpad-db:mysql
security_opt:
@@ -19,7 +32,8 @@ services:
- ETHERPAD_THEME=colibris
- ETHERPAD_MINIFY=true
restart: always
-
+ networks:
+ - docker_default
etherpad-db:
image: mysql:5.7
container_name: etherpad-db
@@ -29,7 +43,7 @@ services:
cpus: "0.20"
pids_limit: 1024
volumes:
- - /DATA/docker/etherpad/etherpad-db/data:/var/lib/mysql
+ - etherpad-db-volume:/var/lib/mysql
env_file: ./secrets/etherpad-db.secrets
healthcheck:
test: "/usr/bin/mysql --user=root --password=$${MYSQL_ROOT_PASSWORD} --execute \"SHOW DATABASES;\""
@@ -37,4 +51,5 @@ services:
timeout: 20s
retries: 10
restart: always
-
+ networks:
+ - docker_default
\ No newline at end of file
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..b9613c461816fe5d18dab37ca2d03cc21db743b7
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME
new file mode 100644
index 0000000000000000000000000000000000000000..0fa4709e749342699d9ef9ef4bf2cc62ab72d775
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..88744f475dbc370be4c5783112b8692616383095
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER
new file mode 100644
index 0000000000000000000000000000000000000000..9e2d3fbfe24197eae7644b3c48f875cb2855d88c
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR
new file mode 100644
index 0000000000000000000000000000000000000000..bb074d3dbea2ff7fdbae86dafd3ec2f653b6e97f
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE
new file mode 100644
index 0000000000000000000000000000000000000000..f28d17007de9d44fb330efc1cc3ee95510ef663b
--- /dev/null
+++ b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE
@@ -0,0 +1,3 @@
+����k����o�k���}<�����=���5J�o[�"��\i��w�����oA�����-#� n��K:�х�S��ΐ�p��;����i���q�97r��������|�G�_��#�uVF�rm���݀�eÕ���������o���l���̭%�X������)WY��x�{݁���Y����S�5�;�L�p� X���&Z�'���MS�?x�8�����$��q�M�m��~i�$��pG�wa67��6��������Q�.����w[��YH1��(L������&D����F#��������W0������ D�.k�)���<D|��X����(���#��~"
**-?���rI���������\���g=.�fh���T2ř�V `�rk����O��_s��s4��9��c��,s��=]��##��g|��@�2�����3�_�M�y$�Qܤ��z����7@ |J��P� 6a�j�q������S}d��g���-ݞ9�ԕ�v"
+�J� ��[Ȯ�����G�
+E���f����&��e� �$�� [�f�\��%�&����$�W�Z�1�G��P>�G���H���m��������J��%���~�y��������#�'�7/�f�|ݵPB����
������t��>��J(��J
\ No newline at end of file
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..9c3c24921fec8711c6648b06081156fd9f49e34d
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..cd21bebf837e1596b2029c728dbacaa2763f666b
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER
new file mode 100644
index 0000000000000000000000000000000000000000..8ea5c5d730e9b41dc494c0f74bcf7ab85543cade
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..6de315d7269275a3446cc0a6576c5cca1467cd9b
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME
new file mode 100644
index 0000000000000000000000000000000000000000..f9f3d6dcd6011ef2c99251441d2002c2526f3227
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..3e8a3e2c8c510098a0a4de4b03a4e1edc54c876c
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER
new file mode 100644
index 0000000000000000000000000000000000000000..7a2ab42fadeefa82c834405eaf31ac72b38a0323
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR
new file mode 100644
index 0000000000000000000000000000000000000000..8cdda0d812be49e09323eacd3614434799ffd46d
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE
new file mode 100644
index 0000000000000000000000000000000000000000..75e409e910e38ece0967157a554d8ebe39d220a0
--- /dev/null
+++ b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE
@@ -0,0 +1,6 @@
+�������=�H�z������,������z��D�Jp��'�ׯW�Q�������)y5r3qI �qrZ�#�cB�����qsq�I@�'u�~���������Y���&|[t_�
&;�O#��c�iA�̀H���Ax��Jx������i��Ԥ��B��?�v)�
�3����Gc��\yRy��J��u�^
+{<�h��c�E#J���+��ps�hqf��'$����ҵ�^F']�������D�\/K!���eA
�F�F�Ht;(�.Ͽ����2������p�Uۯ^�&¡���t��K��d���<[�S�{y�@�� �E/"�B����{g�;]�s"t��/Ķ��\E�(z��Xe��i�:��zˉc�Q�$�Jᝰ}6൹4�m����yM���sZ:�Na᭻@^��}��v}a|��l���OH��
+ͱ���쥂
+����O����B�yX�qL�Xʈ�
+�t�c��Hx���
+���; �r��x*��U!�~��9>#w�ld �����#�~���\����_�mࢧoW�啮�J�����D,�Mj��X��Qv�؛�>�U];,{�W�%,��o�u���h=I������e;�^��V��(��pi��>��Oɩ�L��T�����m�a���
��:�����= fh��i��A���^Q�x
\ No newline at end of file
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..f579f7ad7cf840feef9af17e40eb1d35afe9a5ad
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..87fce66983d6576c4863cb937a438f94c37b23d0
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER
new file mode 100644
index 0000000000000000000000000000000000000000..6ce2fe00f4c8cab717771ecb85546e4d657bfdfc
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER differ