michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deployment): use environment variable for Redis health check authentication

Browse Source 
Changes:
- Export REDIS_PASSWORD from Docker Secret in entrypoint script
- Health check now uses exported environment variable instead of reading Secret file
- Increased start_period to 30s to allow more time for initialization

Why this works:
- Environment variables are accessible to both main process and health checks
- Docker Secret file reading in health check context was unreliable
- Export makes password available in same shell session for health check

Security:
- Password still sourced from Docker Secret (encrypted at rest)
- Only exported within container environment (not exposed externally)
- Redis still requires password authentication (--requirepass)

Deployment fix #11 (continued): Redis container health check
This commit is contained in:
Michael Schiemer
2025-11-04 17:40:48 +01:00
parent b1e3a0025a
commit 5633959b9d
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docker-compose.production.yml
View File

@@ -170,13 +170,14 @@ services:
cap_drop:
- ALL
# Use entrypoint script to inject password from Docker Secret into config
# Use entrypoint script to inject password from Docker Secret into environment
# This makes password available to both Redis startup AND health check
# Note: Script runs as root to read Docker Secrets, then starts Redis
entrypoint: ["/bin/sh", "-c"]
command:
- |
# Read password from Docker Secret (as root)
REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
# Read password from Docker Secret (as root) and export for health check
export REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
# Start Redis with all settings as command line arguments (no config file to avoid conflicts)
if [ -n "$$REDIS_PASSWORD" ]; then
exec redis-server \
@@ -208,12 +209,13 @@ services:
cpus: '0.5'
# Stricter health checks
# Uses REDIS_PASSWORD environment variable exported by entrypoint
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep -q PONG || redis-cli -a \"$$(cat /run/secrets/redis_password 2>/dev/null)\" ping | grep -q PONG"]
test: ["CMD-SHELL", "redis-cli -a \"$$REDIS_PASSWORD\" ping | grep -q PONG"]
interval: 10s
timeout: 3s
retries: 5
start_period: 10s
start_period: 30s
# JSON logging
logging: