Add support for passing a file path as the value for DB password

[mdlinville]

Allows use of Docker secrets to store these credentials
when WordPress is run as a Docker service. If the secret
has been granted to the container, the
password will be available within the container as
an unencrypted string in /run/secrets/.

An example incantation:

docker service create --name="wordpress" \
                            --network="wp_network" \
                            --replicas="3" \
                            --publish 30000:80 \
                            --secret="mysql_password" \
                            -e WORDPRESS_DB_USER="root" \
                            -e WORDPRESS_DB_PASSWORD="/run/secrets/mysql_password"
                            -e WORDPRESS_DB_HOST="mysql:3306" \
                            wordpress

Signed-off-by: Misty Stanley-Jones [email protected]

[cyli]

This is awesome @mstanleyjones, thanks so much for getting this rolling!
Having never used wordpress before, I don't know very much about how to set it up, but looking at https://hub.docker.com/r/library/wordpress/, would it make sense to add secret support for some of the other env vars too? For instance (although I'm not sure what these do): WORDPRESS_AUTH_KEY, WORDPRESS_LOGGED_IN_KEY.

Also, do these changes also have to be made to all the docker-entrypoint.sh files in all the different php apache/fpm subdirectories? (not sure if there's some other script that will update them automatically)

[tianon]

IMO it'd be cleaner if we add _FILE versions of these environment variables so that we're being explicit that we want their contents to come from a file

I'm thinking that creating a helper to make this less error prone is likely prudent so that this could be implemented en masse across the file, something like this:

env_val() {
    local var="$1"
    local fileVar="${var}_FILE"
    local def="${2:-}"
    if [ "${!var}" -a "${!fileVar}" ]; then
        echo >&2 "error: both $var and $fileVar specified (which are exclusive)"
        exit 1
    fi
    local val
    if [ "${!var}" ]; then
        val="${!var}"
    elif [ "${!fileVar}" ]; then
        val="$(< "${!fileVar}")"
    fi
    echo "${val:-$def}"
}

# ...
: ${WORDPRESS_DB_PASSWORD:=$(env_val 'WORDPRESS_DB_PASSWORD' "$MYSQL_ENV_MYSQL_PASSWORD")}
: ${WORDPRESS_DB_NAME:=$(env_val 'WORDPRESS_DB_NAME' "${MYSQL_ENV_MYSQL_DATABASE:-wordpress}")}
# ...

Thoughts?

Or perhaps instead doing something like this at the start to simply handle the redirection right up front:

for env in \
    WORDPRESS_DB_PASSWORD \
    WORDPRESS_DB_NAME \
; do
    fileEnv="${env}_FILE"
    if [ "${!fileEnv}" ]; then
        if [ "${!env}" ]; then
            echo >&2 "error: both $env and $fileEnv specified (which are exclusive)"
            exit 1
        fi
        val="$(< "${!fileEnv}")"
        eval "export $env=\"\$val\""
    fi
done

cc @yosifkit for thoughts too (since I think whatever we do here will likely be used as a template for how to handle this elsewhere 😄)

[cyli]

👍 _FILE would definitely be more explicit.

[tianon]

@mstanleyjones would it be alright with you if @yosifkit and I carry this one from here? 🙏 😇

[mdlinville]

Absolutely, feel free to commit into the PR branch or move it to a new PR, whatever works for you.

[tianon]

Thanks @mstanleyjones! ❤️ ❤️

@yosifkit, I've updated to add a file_env helper (whose usage is simplified slightly further from the example I pasted above to hopefully help cut down on accidental mistakes) 👍

[tianon]

cc @ltangvald -- think we should add some _FILE support to mysql? 😄 👍

[cyli]

That would be awesome! A couple others that could also use the update (I think) are postgres, sentry, and mariadb. :) I am not sure if there are others as well.