Use container secrets securely

[itoffshore]

• adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file location can be changed / set on every run
• adds set_password_files() to entrypoint.sh so /home/step/secrets/password becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE (for backwards compatibility) & also DOCKER_STEPCA_PASSWORD_FILE so secret file permissions are retained
• adds podman example quadlet / run command with:
  • a secret generated by openssl using an 8192 character hex string
  • health monitoring in the .container example
• small update to README.md for new podman examples / docker examples

Fixes #2270

---

Name of feature:

• More secure container secrets / add podman examples

Pain or issue this feature alleviates:

• improves container secret file permissions

Why is this important to the project (if not answered above):

• you can never have too much security ;o)

Is there documentation on how to use this feature? If so, where?

• podman examples included - I've been using these for a few weeks now

In what environments or workflows is this feature supported?

• containers

In what environments or workflows is this feature explicitly NOT supported (if any)?

• standalone binaries

Supporting links/other PRs/issues: #2270

💔Thank you!

[itoffshore]

did a bit more testing:

• 378,000 character base64 string from openssl doesn't work (I don't think the input expects so many newlines)
• successfully tested & changed the examples to 8192 character hex string from openssl

[jdoss]

Thank you so much for this PR @itoffshore. You get bonus points for including Podman examples. 👏🏼👏🏼 I use Podman with Quadlets for all of my homelab container deployments, including step ca.

I have left a detailed review. If you can make the requested changes that would be great, and we can get this merged.

[itoffshore]

Thank you so much for this PR @itoffshore. You get bonus points for including Podman examples. 👏🏼👏🏼 I use Podman with Quadlets for all of my homelab container deployments, including step ca.

I can fix it here && here

I have left a detailed review. If you can make the requested changes that would be great, and we can get this merged.

all the changes should be there

Quadlets are great - on to pods next

if you love podman check out MicroOS as a container host - I switched to it on my stuff about a year ago. Rolling release with self correcting upgrades (btrfs snapshots)

Making customised iso images with "kiwi" is great. RKE2 can be run on it very easily.

---

• Possibly the issue with the Alpine image when not run with --privileged:

• perhaps put the image binaries under /usr/bin (where Alpine expects them to be). In Alpine ordinary users are quite locked down (no ping), something doesn't like /usr/local/bin executing by the step user early in startup.

• I can do a small fix here && here