Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Added support for _FILE pattern in Docker Compose secrets #3781

Draft
wants to merge 4 commits into
base: mealie-next
Choose a base branch
from

Conversation

andrewvaughan
Copy link

What type of PR is this?

Provides backwards-compatible support for the _FILE standard for Docker Compose secrets, per the secrets documentation:

https://docs.docker.com/compose/use-secrets/

  • documentation
  • feature

What this PR does / why we need it:

Please refer to discussion #3773

Which issue(s) this PR fixes:

N/A - was recommended to submit a PR without an Issue by maintainers.

Special notes for your reviewer:

This also updates the documentation with best-practices and examples. This should be fully backwards-compatible with any existing Mealie install, as the method of implementation is to simply override the existing variable if a _FILE variable exists.

The documentation changes explain this in further detail.

Testing

Only the entrypoint has been modified. If you wish to test this locally in a bash environment without creating a full container, copy the added load_secrets function into a session and test the various _FILE capabilities by setting file data and running the function:

mkdir secrets
chmod 700 secrets
echo "pguser" > secrets/postgres-user
echo "pgpass" > secrets/postgres-password
POSTGRES_USER_FILE=./secrets/postgres-user
POSTGRES_PASSWORD_FILE=./secrets/postgres-user
load_secrets
echo $POSTGRES_USER
echo $POSTGRES_PASSWORD

Alternatively, here is a docker-compose configuration for your convenience in testing (from the docker folder (note - I was having permissions issues with the docker-compose.yml that already existed in the docker directory, but I presume y'all use it successfully, so this is derived from that, but not tested directly):

name: mealie-docker-secrets-test

services:

  postgres:
    container_name : "postgres"
    image          : "postgres:15"
    restart        : "always"

    volumes:
      - "mealie-db:/var/lib/postgresql/data"

    secrets:
      - "postgres-user"
      - "postgres-password"
    
    environment:
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-user"
      POSTGRES_USER_FILE: "/run/secrets/postgres-password"

    healthcheck:
      test: ["CMD", "pg_isready"]
      interval: "30s"
      timeout: "20s"
      retries: 3

  mealie:
    container_name : "mealie"
    image          : "mealie:dev"
    restart        : "always"
    
    build:
      context: "../"
      target: "production"
      dockerfile: "./docker/Dockerfile"
  
    depends_on:
      - "postgres"
  
    networks:
      - "backend"

    ports:
      - "9091:9000"
  
    volumes:
      - "mealie-app:/app/data"

    secrets:
      - "postgres-user"
      - "postgres-password"
  
    environment:
      PUID: 1000
      GUID: 1000
  
      ALLOW_SIGNUP: true
      BASE_URL: "http://localhost"
      DB_ENGINE: "postgres"
      POSTGRES_SERVER: "postgres"
      POSTGRES_DB: "mealie"
      POSTGRES_USER_FILE: "/run/secrets/postgres-user"
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-password"
      TZ: "America/New_York"

secrets:
  postgres-user:
    file: "./secrets/postgres-user"
  postgres-password:
    file: "./secrets/postgres-password"

networks:
  backend:

volumes:
  mealie-app:
  mealie-db:

If this docker-compose.yml configuration is used, make sure to run the generation of the secrets directory and associate files, before. This does not comprehensively test all available _FILE additions, but should prove concept.

@andrewvaughan
Copy link
Author

Note - in the documentation I added a presumption that this would be available in v1.10.0. Please update as appropriate.

@andrewvaughan
Copy link
Author

Hold on this - there may be a permissions issue accessing the secrets during an entrypoint script. I'm doing some more testing.

@hay-kot hay-kot marked this pull request as draft July 25, 2024 19:52
@pparedes1
Copy link

Was this ever incorporated? Current documentation doesn't seem to make sense and this is more standard with other Docker Compose files...

Copy link
Contributor

This PR is stale because it has been open 45 days with no activity.

@github-actions github-actions bot added the stale label Oct 23, 2024
@DennisGaida
Copy link
Contributor

I tested this PR and it works. Currently missing is the new variable OIDC_CLIENT_SECRET from secret_supported_vars. There are no permission issues if the user running the docker container has access to the secrets file(s), which is the same if the secrets where read via Python instead of the entry file.

This PR makes this commit 65ece35 kind of obsolete and I would pretty much remove the things being done there. No "secrets folder" should be created by mealie, the secrets.py could should just read. It would be up for discussion whether secrets should be read in the entry.sh (as done here in this PR) or in Python.

In Python I have done it in the past like so: https://github.com/tiredofit/docker-traefik-cloudflare-companion/pull/61/files as an alternative for the entry.sh it could also be done like so: https://github.com/bropat/eufy-security-ws/pull/309/files, but it is very similar to the code in this PR.

If you want to test this PR, this is very easy - just add the "custom" entry.sh via volume mount - actually you don't need to change anything else in mealie for now (until settings.py is cleaned up) and it just works:

    volumes:
      - $DOCKERDIR/mealie/entry.sh:/app/run.sh

The secrets you need to configure like in the new documentation of course, but in short I am doing it like so: #4423

@DennisGaida
Copy link
Contributor

Merged to current version here: https://github.com/DennisGaida/mealie/tree/docker-secrets, but since this isn't my PR I can't add changes or I don't know how.

  • OIDC_CLIENT_SECRET should be added
  • backend.md needs to be merged / conflicts resolved

Besides that this is mergeable

@michael-genson
Copy link
Collaborator

@DennisGaida you should be able to fork and raise your own PR, I'm not sure if you're able to edit this one.

@github-actions github-actions bot removed the stale label Oct 25, 2024
@RMI78
Copy link

RMI78 commented Nov 17, 2024

Hi everyone, I was playing with docker secrets and I can tell the stuff in the doc is not working and provide very little information. Having a "_FILE" system in the entrypoint is pretty much the standard anyway.
I really need this feature so bad and I was wondering if there was any objection that could prevent the PR from being merged. What about that:

Hold on this - there may be a permissions issue accessing the secrets during an entrypoint script. I'm doing some more testing.

If it is only a matter of forking this branch, rebase it on top of what have been done so far and open a new PR I can make it but I don't want to steal other people's work here. @DennisGaida is it still something you are currently working on ? Did you give up ? How is it going so far ?

@DennisGaida
Copy link
Contributor

@RMI78 didnt have the time yet, but yes I would do exactly what you are proposing.

if you need this feature now, check how I override stuff with the volume mount. You can have _FILE secrets right now.

@RMI78
Copy link

RMI78 commented Dec 23, 2024

@DennisGaida I have been busy lately but now am pretty much done with the code, about to PR with updated env variable. I just want to clarify some stuff. You said something like:

If you want to test this PR, this is very easy - just add the "custom" entry.sh via volume mount - actually you don't need to change anything else in mealie for now (until settings.py is cleaned up) and it just works:

    volumes:
      - $DOCKERDIR/mealie/entry.sh:/app/run.sh

And I don't get any of this. Is it because things have drastically changed over the past months ? Why should I mount that today, where is the app.sh ? I also though about adding some values to my PR by actually getting rid of changes made in 65ece35 but I guess this is something that will be discussed with the dev in another PR

@DennisGaida
Copy link
Contributor

Is it because things have drastically changed over the past months ? Why should I mount that today, where is the app.sh ?

I don't know how things have changed after this PR was created. That is exactly what needs to be checked when raising another PR that may be merged. I also don't know about any app.sh either in the original PR or in the current repo. The current repo still has the entry.sh as entrypoint (which is represented as run.sh in the container).

Why you should mount that today: You shouldn't if done correctly (i.e. PR being merged), but you CAN mount the file from this PR directly as I proposed for testing purposes since it just works like that out of the box. This is what I have been doing. Using the entry.sh as a volume mount to override the default run.sh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants