manage pg password using docker secrets

- manage pg password using docker secrets - add POSTGRES_PASSWORD_FILE variable support - update doc - remove duplicate print
intuitem · Oct 22, 2023 · c393383 · c393383
1 parent 2e34599
commit c393383
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,3 +12,4 @@ ciso_assistant/build.json
 db/django_secret_key
 db/attachments/
 db/data/
+db/pg_password.txt
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ To install gettext and pango, do `sudo apt update && sudo apt install gettext li
 
 ### Quick start 🚀
 
-There are two methods to run CISO locally: using Python or using Docker.
+There are three methods to run CISO locally: using Python, using Docker or using docker-compose.
 
 By default, Django secret key is generated randomly at each start of Mira. This is convenient for quick test, but not recommended for production, as it can break the sessions (see this [topic](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key) for more information). To set a fixed secret key, use the environment variable DJANGO_SECRET_KEY.
 
@@ -149,7 +149,7 @@ When asked for, enter your email and password for your superuser.
 
 You can then reach CISO Assistant using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/)
 
-For following executions, use "docker-compose up" directly.
+For the following executions, use "docker-compose up" directly.
 
 ### How to set up CISO Assistant for development? ✍️
 
@@ -182,15 +182,16 @@ export EMAIL_HOST=localhost
 export EMAIL_PORT=1025
 
 ```
-> As said in the quickstart section, CISO generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable.
+> As said in the quickstart section, CISO Assistant generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable.
 
 **Optional variables**
 
 ```sh
-# CISO will use SQLite by default, but you can setup PostgreSQL by declaring these variables
+# CISO Assistant will use SQLite by default, but you can setup PostgreSQL by declaring these variables
 export POSTGRES_NAME=ciso-assistant
 export POSTGRES_USER=ciso-assistantuser
 export POSTGRES_PASSWORD=<XXX>
+export POSTGRES_PASSWORD_FILE=<XXX>  # alternative way to specify password
 export DB_HOST=localhost
 export DB_PORT=5432  # optional, default value is 5432
 

diff --git a/ciso_assistant/settings.py b/ciso_assistant/settings.py
@@ -238,6 +238,9 @@
 
 if 'POSTGRES_NAME' in os.environ:
     print("Postgresql database engine")
+    fp = os.environ.get('POSTGRES_PASSWORD_FILE')
+    if fp:
+        os.environ['POSTGRES_PASSWORD'] = Path(fp).read_text().strip()
     DATABASES = {
         'default': {
             'ENGINE': 'django.db.backends.postgresql_psycopg2',
@@ -248,7 +251,6 @@
             'PORT': os.environ.get('DB_PORT', '5432'),
         }
     }
-    print("Postgresql database engine")
 else:
     print("sqlite database engine")
     DATABASES = {

diff --git a/docker-compose-pg.sh b/docker-compose-pg.sh
@@ -4,7 +4,8 @@ if [ -d db/data ] ; then
     echo "the database seems already created"
     echo "you should launch docker-compose up -d"
 else
-    POSTGRES_PASSWORD=`uuidgen` docker-compose up -d
+    uuidgen > ./db/pg_password.txt
+    docker-compose up -d
     echo "initialize your superuser account..."
     docker-compose exec ciso-assistant python manage.py createsuperuser
     echo "for successive runs you can now use docker compose up"

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -14,7 +14,7 @@ services:
         CISO_URL: http://127.0.0.1:8000
         POSTGRES_NAME: postgres
         POSTGRES_USER: postgres
-        POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+        POSTGRES_PASSWORD_FILE: /run/secrets/pg_password
 #        CISO_SUPERUSER_EMAIL: [email protected]
         EMAIL_HOST: your.mail.server
         EMAIL_PORT: 1025
@@ -26,17 +26,24 @@ services:
         DB_HOST: ciso-postgres
       volumes:
         - ./db:/code/db
+      secrets:
+        - pg_password
 
     postgres:
       image: postgres
       container_name: "ciso-postgres"
       restart: always
       environment:
-        POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+        POSTGRES_PASSWORD_FILE: /run/secrets/pg_password
       volumes:
         - ./db/data:/var/lib/postgresql/data
       healthcheck:
         test: ["CMD-SHELL", "pg_isready -U postgres"]
         interval: 5s
         timeout: 5s
         retries: 5
+      secrets:
+        - pg_password
+secrets:
+   pg_password:
+     file: ./db/pg_password.txt