search

mealie-recipes / mealie

Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor
https://docs.mealie.io
GNU Affero General Public License v3.0
5.59k stars 608 forks source link

feat: Added support for _FILE pattern in Docker Compose secrets #3781

Open andrewvaughan opened 5 days ago

andrewvaughan commented 5 days ago

What type of PR is this?

Provides backwards-compatible support for the _FILE standard for Docker Compose secrets, per the secrets documentation:

https://docs.docker.com/compose/use-secrets/

What this PR does / why we need it:

Please refer to discussion https://github.com/mealie-recipes/mealie/discussions/3773

Which issue(s) this PR fixes:

N/A - was recommended to submit a PR without an Issue by maintainers.

Special notes for your reviewer:

This also updates the documentation with best-practices and examples. This should be fully backwards-compatible with any existing Mealie install, as the method of implementation is to simply override the existing variable if a _FILE variable exists.

The documentation changes explain this in further detail.

Testing

Only the entrypoint has been modified. If you wish to test this locally in a bash environment without creating a full container, copy the added load_secrets function into a session and test the various _FILE capabilities by setting file data and running the function:

mkdir secrets
chmod 700 secrets
echo "pguser" > secrets/postgres-user
echo "pgpass" > secrets/postgres-password
POSTGRES_USER_FILE=./secrets/postgres-user
POSTGRES_PASSWORD_FILE=./secrets/postgres-user
load_secrets
echo $POSTGRES_USER
echo $POSTGRES_PASSWORD

Alternatively, here is a docker-compose configuration for your convenience in testing (from the docker folder (note - I was having permissions issues with the docker-compose.yml that already existed in the docker directory, but I presume y'all use it successfully, so this is derived from that, but not tested directly):

name: mealie-docker-secrets-test

services:

  postgres:
    container_name : "postgres"
    image          : "postgres:15"
    restart        : "always"

    volumes:
      - "mealie-db:/var/lib/postgresql/data"

    secrets:
      - "postgres-user"
      - "postgres-password"

    environment:
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-user"
      POSTGRES_USER_FILE: "/run/secrets/postgres-password"

    healthcheck:
      test: ["CMD", "pg_isready"]
      interval: "30s"
      timeout: "20s"
      retries: 3

  mealie:
    container_name : "mealie"
    image          : "mealie:dev"
    restart        : "always"

    build:
      context: "../"
      target: "production"
      dockerfile: "./docker/Dockerfile"

    depends_on:
      - "postgres"

    networks:
      - "backend"

    ports:
      - "9091:9000"

    volumes:
      - "mealie-app:/app/data"

    secrets:
      - "postgres-user"
      - "postgres-password"

    environment:
      PUID: 1000
      GUID: 1000

      ALLOW_SIGNUP: true
      BASE_URL: "http://localhost"
      DB_ENGINE: "postgres"
      POSTGRES_SERVER: "postgres"
      POSTGRES_DB: "mealie"
      POSTGRES_USER_FILE: "/run/secrets/postgres-user"
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-password"
      TZ: "America/New_York"

secrets:
  postgres-user:
    file: "./secrets/postgres-user"
  postgres-password:
    file: "./secrets/postgres-password"

networks:
  backend:

volumes:
  mealie-app:
  mealie-db:

If this docker-compose.yml configuration is used, make sure to run the generation of the secrets directory and associate files, before. This does not comprehensively test all available _FILE additions, but should prove concept.

andrewvaughan commented 5 days ago

Note - in the documentation I added a presumption that this would be available in v1.10.0. Please update as appropriate.

andrewvaughan commented 5 days ago

Hold on this - there may be a permissions issue accessing the secrets during an entrypoint script. I'm doing some more testing.