From 5633959b9d853b18257a9c31ed1990e836465164 Mon Sep 17 00:00:00 2001
From: Michael Schiemer <kontakt@michaelschiemer.de>
Date: Tue, 4 Nov 2025 17:40:48 +0100
Subject: [PATCH] fix(deployment): use environment variable for Redis health
 check authentication

Changes:
- Export REDIS_PASSWORD from Docker Secret in entrypoint script
- Health check now uses exported environment variable instead of reading Secret file
- Increased start_period to 30s to allow more time for initialization

Why this works:
- Environment variables are accessible to both main process and health checks
- Docker Secret file reading in health check context was unreliable
- Export makes password available in same shell session for health check

Security:
- Password still sourced from Docker Secret (encrypted at rest)
- Only exported within container environment (not exposed externally)
- Redis still requires password authentication (--requirepass)

Deployment fix #11 (continued): Redis container health check
---
 docker-compose.production.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/docker-compose.production.yml b/docker-compose.production.yml
index b08bb4f6..331967e7 100644
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -170,13 +170,14 @@ services:
     cap_drop:
       - ALL
 
-    # Use entrypoint script to inject password from Docker Secret into config
+    # Use entrypoint script to inject password from Docker Secret into environment
+    # This makes password available to both Redis startup AND health check
     # Note: Script runs as root to read Docker Secrets, then starts Redis
     entrypoint: ["/bin/sh", "-c"]
     command:
       - |
-        # Read password from Docker Secret (as root)
-        REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
+        # Read password from Docker Secret (as root) and export for health check
+        export REDIS_PASSWORD=$$(cat /run/secrets/redis_password 2>/dev/null || echo '')
         # Start Redis with all settings as command line arguments (no config file to avoid conflicts)
         if [ -n "$$REDIS_PASSWORD" ]; then
           exec redis-server \
@@ -208,12 +209,13 @@ services:
           cpus: '0.5'
 
     # Stricter health checks
+    # Uses REDIS_PASSWORD environment variable exported by entrypoint
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep -q PONG || redis-cli -a \"$$(cat /run/secrets/redis_password 2>/dev/null)\" ping | grep -q PONG"]
+      test: ["CMD-SHELL", "redis-cli -a \"$$REDIS_PASSWORD\" ping | grep -q PONG"]
       interval: 10s
       timeout: 3s
       retries: 5
-      start_period: 10s
+      start_period: 30s
 
     # JSON logging
     logging: