working with secrets

abra-entrypoint.sh

@@ -8,7 +8,10 @@ shift
 echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}"
 
 [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)"
+[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)"
 [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)"
+[ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)"
+[ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)"
 [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)"
 [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)"
 [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)"

abra.sh

@@ -1,13 +1,20 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export ABRA_ENTRYPOINT_VERSION=v3
+export ABRA_ENTRYPOINT_VERSION=v4
 export NGINX_CONF_VERSION=v2
 export PG_BACKUP_VERSION=v3
 
-# environment() {
-#   # TODO: Add file_env here
-# }
+environment() {
+  [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)"
+  [ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)"
+  [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)"
+  [ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)"
+  [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)"
+  [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)"
+  [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)"
+}
 
 migrate() {
+  environment
   python manage.py migrate --noinput
 }

compose.yml

@@ -5,9 +5,9 @@
 x-common-env: &common-env
   DJANGO_CONFIGURATION: Production
   DJANGO_ALLOWED_HOSTS: "*"
-  XX_DJANGO_SECRET_KEY:
+  # DJANGO_SECRET_KEY supplied via secrets
   DJANGO_SETTINGS_MODULE: impress.settings
-  XX_DJANGO_SUPERUSER_PASSWORD:
+  # DJANGO_SUPERUSER_PASSWORD supplied via secrets
   # Logging
   # Set to DEBUG level for dev only
   LOGGING_LEVEL_HANDLERS_CONSOLE:
@@ -28,8 +28,7 @@ x-common-env: &common-env
   STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
   AWS_S3_ENDPOINT_URL: http://minio:9000
   AWS_S3_ACCESS_KEY_ID: user
-  # FIXME: Move to docker secret (or remove all together)
-  AWS_S3_SECRET_ACCESS_KEY: password
+  # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD)
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
   # OIDC - settings from .env, see .env.sample
@@ -38,7 +37,7 @@ x-common-env: &common-env
   OIDC_OP_TOKEN_ENDPOINT:
   OIDC_OP_USER_ENDPOINT:
   OIDC_RP_CLIENT_ID:
-  XX_OIDC_RP_CLIENT_SECRET:
+  # OIDC_RP_CLIENT_SECRET supplied via secrets
   OIDC_RP_SIGN_ALGO:
   OIDC_RP_SCOPES:
   LOGIN_REDIRECT_URL:
@@ -46,7 +45,7 @@ x-common-env: &common-env
   LOGOUT_REDIRECT_URL:
   OIDC_REDIRECT_ALLOWED_HOSTS:
   OIDC_AUTH_REQUEST_EXTRA_PARAMS:
-  # AI
+  # AI (Fixme: remove?)
   AI_FEATURE_ENABLED: "false"
   AI_BASE_URL: https://openaiendpoint.com
   AI_API_KEY: password
@@ -58,33 +57,26 @@ x-postgres-env: &postgres-env
   # Postgresql db container configuration
   POSTGRES_DB: docs
   POSTGRES_USER: docs
-  # FIXME: Move to docker secret
-  XX_POSTGRES_PASSWORD: password
-  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
   # App database configuration
   DB_HOST: db
   DB_NAME: docs
   DB_USER: docs
-  # FIXME: Move to docker secret
-  XX_DB_PASSWORD: password
   DB_PORT: 5432
+  # DB_PASSWORD supplied via secrets (this is same as POSTGRES_PASSWORD)
 
 x-yprovider-env: &yprovider-env
   COLLABORATION_LOGGING: "true"
+  # FIXME: Move to docker secret
   Y_PROVIDER_API_KEY: foobar
   COLLABORATION_API_URL: http://y-provider:4444/api/
   COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
-  # FIXME: Move to docker secret
-  XX_COLLABORATION_SERVER_SECRET: my-secret
+  # COLLABORATION_SERVER_SECRET supplied via secrets
   COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN}
   COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
 
 x-minio-env: &minio-env
   MINIO_ROOT_USER: user
-  # FIXME: Move to docker secret
-  XX_MINIO_ROOT_PASSWORD: password
-  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_root_password
-
+  # MINIO_ROOT_PASSWORD supplied via secrets
 
 services:
   app:
@@ -111,12 +103,12 @@ services:
       - backend 
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
-    healthcheck:
-      test: ["CMD", "python", "manage.py", "check"]
-      interval: 15s
-      timeout: 30s
-      retries: 20
-      start_period: 10s
+#    healthcheck:
+#      test: ["CMD", "python", "manage.py", "check"]
+#      interval: 15s
+#      timeout: 30s
+#      retries: 20
+#      start_period: 10s
     command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
     entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
     configs:
@@ -220,9 +212,10 @@ services:
     environment: *minio-env
     networks:
       - backend 
-    entrypoint: ["/abra-entrypoint.sh"]
-    command: >
-      sh -c "/usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} &&
+#    entrypoint: ["/abra-entrypoint.sh"]
+    entrypoint: >
+      sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_root_password)\" &&
+      /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
       /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
       /usr/bin/mc version enable docs/docs-media-storage &&
       exit 0"