Refactor postgres password to use docker secrets

2024-09-11 15:21:58 +02:00
parent 69b6f50b4b
commit d44fcefe13
3 changed files with 38 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -7,6 +7,8 @@ DOMAIN=bigbluebutton.example.com
 LETS_ENCRYPT_ENV=production
 SECRET_POSTGRES_PASSWORD_VERSION=v1
 # ====================================
 # ADDITIONS to BigBlueButton
 # ====================================
--- a/compose.yml
+++ b/compose.yml
@ -359,7 +359,8 @@ services:
      - postgres
      - redis
    environment:
-      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3 # how to add docker secret here?
+      # DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3
      # DATABASE_URL is being set by entrypoint-greenlight.sh
      REDIS_URL: redis://redis:6379
      BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api
      BIGBLUEBUTTON_SECRET: /run/secret/shared_secret # can this use docker secrets?
@ -367,6 +368,13 @@ services:
      RELATIVE_URL_ROOT: /
    volumes:
       - greenlight_data:/usr/src/app/storage
    configs:
       - source: abra_entrypoint_greenlight
         target: /entrypoint-greenlight.sh
         mode: 0555
    secrets: 
       - postgres_password
    entrypoint: /entrypoint-greenlight.sh
    networks:
      bbb-net:
        ipv4_address: 10.7.7.21
@ -385,7 +393,7 @@ services:
    environment:
      POSTGRES_DB: greenlight-v3
      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD_FILE: /run/secret/postgresql_secret
+      POSTGRES_PASSWORD_FILE: /run/secret/postgres_password
    #healthcheck:
      #test: ["CMD-SHELL", "pg_isready -U postgres"]
      #interval: 10s
@ -393,6 +401,8 @@ services:
      #retries: 5
    volumes:
      - "postgres_data:/var/lib/postgresql/data"
    secrets:
      - postgres_password
    networks:
      bbb-net:
        ipv4_address: 10.7.7.22
@ -412,7 +422,9 @@ volumes:
 configs:
  turnserver_conf:
    name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
-
+  abra_entrypoint_greenlight:
    name: ${STACK_NAME}_entrypoint_greenlight_${ENTRYPOINT_GREENLIGHT_VERSION}
    file: ./entrypoint-greenlight.sh
 secrets:
  shared_secret:
@ -424,9 +436,9 @@ secrets:
  rails_secret:
    external: true
    name: ${STACK_NAME}_rails_secret_${RAILS_SECRET_VERSION}
-  postgresql_secret:
+  postgres_password:
    external: true
-    name: ${STACK_NAME}_postgresql_secret_${POSTGRESQL_SECRET_VERSION}
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
  fsesl_password:
    external: true
    name: ${STACK_NAME}_fsesl_password_${FSESL_PASSWORD_VERSION}
--- a/entrypoint-greenlight.sh
+++ b/entrypoint-greenlight.sh
@ -0,0 +1,19 @@
 #!/bin/sh
 set -e
 if test -f "/run/secrets/postgres_password"; then
    pwd=`cat /run/secrets/postgres_password`
    if [ -z $pwd ]; then
        echo >&2 "error: /run/secrets/postgres_password is empty"
        exit 1
    fi
    echo "entrypoint-greenlight.sh setting DATABASE_URL"
    export "DATABASE_URL"="postgres://postgres:${pwd}@postgres:5432/greenlight-v3"
    unset "pwd"
 else
    echo >&2 "error: /run/secrets/postgres_password does not exist"
    exit 1
 fi
 # https://github.com/bigbluebutton/greenlight/blob/master/dockerfiles/v3/alpine
 ./bin/start