Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for local secrets #227

Merged
merged 11 commits into from
Jul 2, 2024
Merged

Add support for local secrets #227

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
00db98b
Impl
KevinJBoyer Jun 14, 2024
be5f5b5
Add .gitignore
KevinJBoyer Jun 14, 2024
870ed31
Move files and update docs
KevinJBoyer Jun 24, 2024
709f536
Merge branch 'main' into kb/secrets-in-docker
KevinJBoyer Jun 24, 2024
90c4ab4
Remove version from override example
KevinJBoyer Jun 24, 2024
31a0c22
Update paths in compose files
KevinJBoyer Jun 24, 2024
5703d6a
Fix mount dest
KevinJBoyer Jun 24, 2024
937a6a7
Patch documentation
KevinJBoyer Jun 28, 2024
a145f07
Merge branch 'main' into kb/secrets-in-docker
KevinJBoyer Jun 28, 2024
f077472
Fake commit for CI
KevinJBoyer Jul 2, 2024
2dd4a10
Undo fake commit for CI
KevinJBoyer Jul 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,8 @@
# IDE-specific files
.vscode/*
.idea

# This file is used in local development to pass an /app/.env
# file to the container, for secrets. It should not be committed
# to the repo because tests and CI/CD will not have an .env file.
docker-compose.override.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, I wonder if the real issue here is where we keep the docker-compose file. Would there be any issue moving it to the app folder itself?

That's what we did on the simpler grants gov repo (this api folder is the equivalent of app): https://github.com/navapbc/simpler-grants-gov/tree/main/api

We do have a top-level docker-compose but just for the purposes of spinning up both the frontend and API together.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm open to that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that inside the app folder seems more appropriate to me.

4 changes: 4 additions & 0 deletions app/local.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,12 @@ HIDE_SQL_PARAMETER_LOGS=TRUE
# add them to this file to avoid mistakenly
# committing them. Set these in your shell
# by doing `export AWS_ACCESS_KEY_ID=whatever`
# if you are running the app directly, or
# in your `app/.env` if you are running the
# app in a Docker container
Comment on lines +66 to +68
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Threading arbitrarily, - we might also need a change to the load_local_env_vars method which handles getting the local.env file into your env vars when you run outside of docker. Right now that automatically gets called for unit tests in the conftest file:

https://github.com/navapbc/template-application-flask/blob/main/app/tests/conftest.py#L21

I think if we just adjusted load_local_env_vars to do "if .env exists, load it before the local.env file" bit - then it would work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively - we could get rid of load_local_env_vars entirely and more accurately document how to do that properly when running outside of docker. Maybe I'll take that on next week.

AWS_ACCESS_KEY_ID=DO_NOT_SET_HERE
AWS_SECRET_ACCESS_KEY=DO_NOT_SET_HERE

# These next two are commented out as we
# don't have configuration for individuals
# to use these at the moment and boto3
Expand Down
8 changes: 8 additions & 0 deletions docker-compose.override.yml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
version: '3'

services:

main-app:
env_file:
- ./app/local.env
- ./app/.env
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if we want to name the override env file something like override.env to make it clear on the behavior.

9 changes: 9 additions & 0 deletions docs/app/getting-started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,15 @@ A very simple [docker-compose.yml](/docker-compose.yml) has been included to sup
6. Run `make run-logs` to see the logs of the running API container
7. Run `make stop` when you are done to delete the container.

## (Optional) Configure local secrets

If you need to pass secrets to the application via environment variables, copy the provided [/docker-compose.override.yml.example](/docker-compose.override.yml.example) to /docker-compose.override.yml. Then create an `/app/.env` file with your secrets. The override will pass this file to the Docker container with your application.

```bash
cp docker-compose.override.yml.example docker-compose.override.yml
touch app/.env
```

## Next steps

Now that you're up and running, read the [application docs](README.md) to familiarize yourself with the application.
Loading