Passphrase rotation doesn't work

[jeaye]

According to the readme, just changing the vars within docker-compose.yaml should properly update all passphrases. Instead, the next container cluster boot ends abruptly with some unhappy services. So far, it looks like this is what's needed:

• Secret generation should always happen (https://github.com/zulip/docker-zulip/blob/master/entrypoint.sh#L205)
• Postgres' entrypoint needs to properly update when given a new passphrase

[timabbott]

Making secret generation always run should be safe and easy; we actually do that in the non-Docker Zulip webapp upgrade script already (scripts/lib/upgrade-zulip-stage-2 in zulip/zulip), so I don't expect any issues with just changing the logic in entrypoint.sh to just always run it.

The postgres issue is actually kinda annoying; here's the upstream docker-entrypoint.sh. It just makes no attempt to do anything in the event that the database has already been created:
https://github.com/docker-library/postgres/blob/eff90effc6b5578be90bef93d96b3fceb1082a7c/10/docker-entrypoint.sh

So there are two options:

• Give instructions for how to do a docker exec into the postgres image to run psql to run the appropriate ALTER USER command.
• Submit a PR upstream extending the postgres image to auto-change the password in its docker-entrypoint.sh, and modify Dockerfile-postgresql in zulip/zulip to copy the patched version of the file in place (so we don't need to wait for upstream to merge).

[timabbott]

For the second option above, I just opened docker-library/postgres#487.

[timabbott]

It looks like upstream closed as wontfix the feature request. Not sure there's a good option for us here, though we do extend an upstream postgres image.

[timabbott]

Probably the right answer is to add documentation on using ALTER USER to change the postgres password when changing these values.