Refactor postgres password to use docker secrets

2024-09-11 15:21:58 +02:00
parent 69b6f50b4b
commit d44fcefe13
3 changed files with 38 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -7,6 +7,8 @@ DOMAIN=bigbluebutton.example.com

 LETS_ENCRYPT_ENV=production

+SECRET_POSTGRES_PASSWORD_VERSION=v1
+
 # ====================================
 # ADDITIONS to BigBlueButton
 # ====================================
--- a/compose.yml
+++ b/compose.yml
@ -359,7 +359,8 @@ services:
      - postgres
      - redis
    environment:
-      DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3 # how to add docker secret here?
+      # DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3
+      # DATABASE_URL is being set by entrypoint-greenlight.sh
      REDIS_URL: redis://redis:6379
      BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api
      BIGBLUEBUTTON_SECRET: /run/secret/shared_secret # can this use docker secrets?
@ -367,6 +368,13 @@ services:
      RELATIVE_URL_ROOT: /
    volumes:
       - greenlight_data:/usr/src/app/storage
+    configs:
+       - source: abra_entrypoint_greenlight
+         target: /entrypoint-greenlight.sh
+         mode: 0555
+    secrets: 
+       - postgres_password
+    entrypoint: /entrypoint-greenlight.sh
    networks:
      bbb-net:
        ipv4_address: 10.7.7.21
@ -385,7 +393,7 @@ services:
    environment:
      POSTGRES_DB: greenlight-v3
      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD_FILE: /run/secret/postgresql_secret
+      POSTGRES_PASSWORD_FILE: /run/secret/postgres_password
    #healthcheck:
      #test: ["CMD-SHELL", "pg_isready -U postgres"]
      #interval: 10s
@ -393,6 +401,8 @@ services:
      #retries: 5
    volumes:
      - "postgres_data:/var/lib/postgresql/data"
+    secrets:
+      - postgres_password
    networks:
      bbb-net:
        ipv4_address: 10.7.7.22
@ -412,7 +422,9 @@ volumes:
 configs:
  turnserver_conf:
    name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
-
+  abra_entrypoint_greenlight:
+    name: ${STACK_NAME}_entrypoint_greenlight_${ENTRYPOINT_GREENLIGHT_VERSION}
+    file: ./entrypoint-greenlight.sh

 secrets:
  shared_secret:
@ -424,9 +436,9 @@ secrets:
  rails_secret:
    external: true
    name: ${STACK_NAME}_rails_secret_${RAILS_SECRET_VERSION}
-  postgresql_secret:
+  postgres_password:
    external: true
-    name: ${STACK_NAME}_postgresql_secret_${POSTGRESQL_SECRET_VERSION}
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
  fsesl_password:
    external: true
    name: ${STACK_NAME}_fsesl_password_${FSESL_PASSWORD_VERSION}
--- a/entrypoint-greenlight.sh
+++ b/entrypoint-greenlight.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+if test -f "/run/secrets/postgres_password"; then
+    pwd=`cat /run/secrets/postgres_password`
+    if [ -z $pwd ]; then
+        echo >&2 "error: /run/secrets/postgres_password is empty"
+        exit 1
+    fi
+    echo "entrypoint-greenlight.sh setting DATABASE_URL"
+    export "DATABASE_URL"="postgres://postgres:${pwd}@postgres:5432/greenlight-v3"
+    unset "pwd"
+else
+    echo >&2 "error: /run/secrets/postgres_password does not exist"
+    exit 1
+fi
+
+# https://github.com/bigbluebutton/greenlight/blob/master/dockerfiles/v3/alpine
+./bin/start