From 6e4eeeabc552addc4eed25958dab0d2c961ec62c Mon Sep 17 00:00:00 2001
From: brooke <brooke@myco.systems>
Date: Thu, 13 Feb 2025 14:40:41 -0500
Subject: [PATCH] fixes to secret handling

---
 README.md                   |  1 +
 abra.sh                     |  2 +-
 compose.yml                 | 26 +++++++------
 entrypoint.rabbitmq.sh.tmpl | 77 -------------------------------------
 rabbitmq.conf.tmpl          |  2 +
 5 files changed, 18 insertions(+), 90 deletions(-)
 delete mode 100644 entrypoint.rabbitmq.sh.tmpl
 create mode 100644 rabbitmq.conf.tmpl

diff --git a/README.md b/README.md
index c74be03..5c5406a 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@
     * Populate SMTP settings by editing env variables that start with `SETTING_EMAIL`.
     * Add a valid email to `SETTING_ZULIP_ADMINISTRATOR`, this email will get error and support emails.
 * `abra app deploy <app-name>`
+> Zulip may takea while to actually become available after abra deems it to have started, please be patient
 
 
 
diff --git a/abra.sh b/abra.sh
index bc2f727..d4d0159 100644
--- a/abra.sh
+++ b/abra.sh
@@ -3,5 +3,5 @@ export PG_BACKUP_VERSION=v1
 export MEM_ENTRYPOINT_VERSION=v1
 export REDIS_ENTRYPOINT_VERSION=v1
 export RABBIT_HEALTHCHECK_VERSION=v1
-export RABBIT_ENTRYPOINT_VERSION=v1
+export RABBIT_CONFIG_VERSION=v1
 export REDIS_HEALTHCHECK_VERSION=v1
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index fd179ca..274b8bc 100644
--- a/compose.yml
+++ b/compose.yml
@@ -22,12 +22,12 @@ services:
       SETTING_REDIS_HOST: "redis"
       SETTING_EXTERNAL_HOST: ${DOMAIN}
       ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
-      SECRETS_postgres_password: "/run/secrets/db_password"
-      SECRETS_memcached_password: "/run/secrets/memcached_password"
-      SECRETS_redis_password: "/run/secrets/redis_password"
-      SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password"
-      SECRETS_email_password: "/run/secrets/smtp_password"
-      SECRETS_secret_key: "/run/secrets/zulip_secret"
+      SECRETS_postgres_password_FILE: "/run/secrets/db_password"
+      SECRETS_memcached_password_FILE: "/run/secrets/memcached_password"
+      SECRETS_redis_password_FILE: "/run/secrets/redis_password"
+      SECRETS_rabbitmq_password_FILE: "/run/secrets/rabbitmq_password"
+      SECRETS_email_password_FILE: "/run/secrets/smtp_password"
+      SECRETS_secret_key_FILE: "/run/secrets/zulip_secret"
     secrets:
       - zulip_secret
       - smtp_password
@@ -104,13 +104,12 @@ services:
     image: "rabbitmq:4.0.6"
     environment:
       RABBITMQ_DEFAULT_USER: "zulip"
-      RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password"
     configs:
       - source: rabbitmq_healthcheck
         target: /healthcheck.sh
         mode: 0555
-      - source: rabbitmq_entrypoint
-        target: /custom-entrypoint.sh
+      - source: rabbitmq_config
+        target: /etc/rabbitmq/rabbitmq.conf
         mode: 0555
     secrets:
       - rabbitmq_password
@@ -134,6 +133,8 @@ services:
         target: /healthcheck.sh
         mode: 0555
     entrypoint: /custom-entrypoint.sh
+    environment:
+        REDIS_PASSWORD_FILE: "/run/secrets/redis_password"
     secrets:
       - redis_password
     command:
@@ -186,9 +187,10 @@ configs:
   rabbitmq_healthcheck:
     name: ${STACK_NAME}_rabbitmq_healthcheck_${RABBIT_HEALTHCHECK_VERSION}
     file: healthcheck.rabbitmq.sh
-  rabbitmq_entrypoint:
-    name: ${STACK_NAME}_rabbitmq_entrypoint_${RABBIT_ENTRYPOINT_VERSION}
-    file: entrypoint.rabbitmq.sh.tmpl
+  rabbitmq_config:
+    name: ${STACK_NAME}_rabbitmq_config_${RABBIT_CONFIG_VERSION}
+    file: rabbitmq.conf.tmpl
+    template_driver: golang
   redis_healthcheck:
     name: ${STACK_NAME}_redis_healthcheck_${REDIS_HEALTHCHECK_VERSION}
     file: healthcheck.redis.sh
diff --git a/entrypoint.rabbitmq.sh.tmpl b/entrypoint.rabbitmq.sh.tmpl
deleted file mode 100644
index 38fdcfd..0000000
--- a/entrypoint.rabbitmq.sh.tmpl
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-		exit 1
-	fi
-
-	local val="$def"
-
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(<"${!fileVar}")"
-	fi
-
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-file_env "RABBITMQ_DEFAULT_PASS"
-
-set -euo pipefail
-
-# allow the container to be started with `--user`
-if [[ "$1" == rabbitmq* ]] && [ "$(id -u)" = '0' ]; then
-	if [ "$1" = 'rabbitmq-server' ]; then
-		find /var/lib/rabbitmq \! -user rabbitmq -exec chown rabbitmq '{}' +
-	fi
-
-	exec gosu rabbitmq "$BASH_SOURCE" "$@"
-fi
-
-deprecatedEnvVars=(
-	RABBITMQ_DEFAULT_PASS_FILE
-	RABBITMQ_DEFAULT_USER_FILE
-	RABBITMQ_MANAGEMENT_SSL_CACERTFILE
-	RABBITMQ_MANAGEMENT_SSL_CERTFILE
-	RABBITMQ_MANAGEMENT_SSL_DEPTH
-	RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT
-	RABBITMQ_MANAGEMENT_SSL_KEYFILE
-	RABBITMQ_MANAGEMENT_SSL_VERIFY
-	RABBITMQ_SSL_CACERTFILE
-	RABBITMQ_SSL_CERTFILE
-	RABBITMQ_SSL_DEPTH
-	RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT
-	RABBITMQ_SSL_KEYFILE
-	RABBITMQ_SSL_VERIFY
-	RABBITMQ_VM_MEMORY_HIGH_WATERMARK
-)
-hasOldEnv=
-for old in "${deprecatedEnvVars[@]}"; do
-	if [ -n "${!old:-}" ]; then
-		echo >&2 "error: $old is set but deprecated"
-		hasOldEnv=1
-	fi
-done
-if [ -n "$hasOldEnv" ]; then
-	echo >&2 'error: deprecated environment variables detected'
-	echo >&2
-	echo >&2 'Please use a configuration file instead; visit https://www.rabbitmq.com/configure.html to learn more'
-	echo >&2
-	exit 1
-fi
-
-# if long and short hostnames are not the same, use long hostnames
-if [ -z "${RABBITMQ_USE_LONGNAME:-}" ] && [ "$(hostname)" != "$(hostname -s)" ]; then
-	: "${RABBITMQ_USE_LONGNAME:=true}"
-fi
-
-exec "$@"
diff --git a/rabbitmq.conf.tmpl b/rabbitmq.conf.tmpl
new file mode 100644
index 0000000..01187a3
--- /dev/null
+++ b/rabbitmq.conf.tmpl
@@ -0,0 +1,2 @@
+default_user = zulip
+default_pass = '{{ secret "rabbitmq_password"}}'
\ No newline at end of file