use recommended script to expose secrets

compose.yml

@@ -22,6 +22,12 @@ services:
       SETTING_REDIS_HOST: "redis"
       SETTING_EXTERNAL_HOST: ${DOMAIN}
       ZULIP_AUTH_BACKENDS: "EmailAuthBackend"
+      SECRETS_postgres_password: "/run/secrets/db_password"
+      SECRETS_memcached_password: "/run/secrets/memcached_password"
+      SECRETS_redis_password: "/run/secrets/redis_password"
+      SECRETS_rabbitmq_password: "/run/secrets/rabbitmq_password"
+      SECRETS_email_password: "/run/secrets/smtp_password"
+      SECRETS_secret_key: "/run/secrets/zulip_secret"
     secrets:
       - zulip_secret
       - smtp_password
@@ -98,6 +104,7 @@ services:
     image: "rabbitmq:4.0.6"
     environment:
       RABBITMQ_DEFAULT_USER: "zulip"
+      RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rabbitmq_password"
     configs:
       - source: rabbitmq_healthcheck
         target: /healthcheck.sh
@@ -109,6 +116,11 @@ services:
       - rabbitmq_password
     volumes:
       - "rabbitmq:/var/lib/rabbitmq:rw"
+    healthcheck:
+      test: [ "CMD-SHELL", "/healthcheck.sh" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
     networks:
       - internal
 

entrypoint.memcached.sh.tmpl

@@ -3,7 +3,7 @@
 set -e
 
 if [ -f /run/secrets/memcached_password ]; then
-  export MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password)
+  export "MEMCACHED_PASSWORD=$(cat /run/secrets/memcached_password)"
 else
   echo "memcached_password not found, skipping."
 fi

entrypoint.rabbitmq.sh.tmpl

@@ -1,10 +1,30 @@
 #!/usr/bin/env bash
 
-if [ -f /run/secrets/rabbitmq_password ]; then
+set -e
-  export RABBITMQ_DEFAULT_PASS=$(cat /run/secrets/rabbitmq_password)
+
-else
+file_env() {
-  echo "rabbitmq_password not found, skipping."
+	local var="$1"
-fi
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+
+	local val="$def"
+
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(<"${!fileVar}")"
+	fi
+
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env "RABBITMQ_DEFAULT_PASS"
 
 set -euo pipefail
 

entrypoint.redis.sh.tmpl

@@ -1,12 +1,30 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
-if [ -f /run/secrets/redis_password ]; then
+file_env() {
-  export REDIS_PASSWORD=$(cat /run/secrets/redis_password)
+   local var="$1"
-else
+   local fileVar="${var}_FILE"
-  echo "redis_password not found, skipping."
+   local def="${2:-}"
-fi
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "REDIS_PASSWORD"
 
 
 # first arg is `-f` or `--some-option`

entrypoint.sh.tmpl

@@ -7,41 +7,35 @@ fi
 set -e
 shopt -s extglob
 
-if [ -f /run/secrets/db_password ]; then
-  export SECRETS_postgres_password=$(cat /run/secrets/db_password)
-else
-  echo "db_password not found, skipping."
-fi
 
-if [ -f /run/secrets/memcached_password ]; then
+file_env() {
-  export SECRETS_memcached_password=$(cat /run/secrets/memcached_password)
+   local var="$1"
-else
+   local fileVar="${var}_FILE"
-  echo "memcached_password not found, skipping."
+   local def="${2:-}"
-fi
 
-if [ -f /run/secrets/redis_password ]; then
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-  export SECRETS_redis_password=$(cat /run/secrets/redis_password)
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-else
+      exit 1
-  echo "redis_password not found, skipping."
+   fi
-fi
 
-if [ -f /run/secrets/rabbitmq_password ]; then
+   local val="$def"
-  export SECRETS_rabbitmq_password=$(cat /run/secrets/rabbitmq_password)
-else
-  echo "rabbitmq_password not found, skipping."
-fi
 
-if [ -f /run/secrets/smtp_password ]; then
+   if [ "${!var:-}" ]; then
-  export SECRETS_email_password=$(cat /run/secrets/smtp_password)
+      val="${!var}"
-else
+   elif [ "${!fileVar:-}" ]; then
-  echo "smtp_password not found, skipping."
+      val="$(< "${!fileVar}")"
-fi
+   fi
 
-if [ -f /run/secrets/zulip_secret ]; then
+   export "$var"="$val"
-  export SECRETS_secret_key=$(cat /run/secrets/zulip_secret)
+   unset "$fileVar"
-else
+}
-  echo "zulip_secret not found, skipping."
+
-fi
+file_env "SECRETS_postgres_password"
+file_env "SECRETS_memcached_password"
+file_env "SECRETS_redis_password"
+file_env "SECRETS_rabbitmq_password"
+file_env "SECRETS_email_password"
+file_env "SECRETS_secret_key"
 
 # DB aka Database
 DB_HOST="${DB_HOST:-127.0.0.1}"