From 78621bb9f31e506cf476a413a113f57aa577e5c3 Mon Sep 17 00:00:00 2001
From: Alyssa Dai <alyssa.ydai@gmail.com>
Date: Thu, 25 Apr 2024 10:04:16 -0400
Subject: [PATCH] update graph and API entrypoints to fetch secrets

---
 docker-compose.yml        | 22 +++++++++++++++++-----
 scripts/api_entrypoint.sh |  5 +++++
 scripts/setup.sh          |  3 +++
 3 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100755 scripts/api_entrypoint.sh

diff --git a/docker-compose.yml b/docker-compose.yml
index bedaf46..5ea4f1d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,14 +12,19 @@ services:
       - "${NB_NAPI_PORT_HOST:-8000}:${NB_NAPI_PORT:-8000}"
     environment:
       NB_GRAPH_USERNAME: ${NB_GRAPH_USERNAME}
-      NB_GRAPH_PASSWORD: ${NB_GRAPH_PASSWORD}
       NB_GRAPH_ADDRESS: ${NB_GRAPH_ADDRESS:-graph}
       NB_GRAPH_PORT: ${NB_GRAPH_PORT:-7200}
       NB_GRAPH_DB: ${NB_GRAPH_DB:-repositories/my_db}
       NB_RETURN_AGG: ${NB_RETURN_AGG:-true}
       NB_API_PORT: ${NB_NAPI_PORT:-8000}
       NB_API_ALLOWED_ORIGINS: ${NB_NAPI_ALLOWED_ORIGINS}
-  
+    volumes:
+      - "./scripts/api_entrypoint.sh:/usr/src/api_entrypoint.sh"
+    entrypoint:
+      - "/usr/src/api_entrypoint.sh"
+    secrets:
+      - db_user_password
+
   graph:
     image: "${NB_GRAPH_IMG:-ontotext/graphdb:10.3.1}"
     profiles:
@@ -36,15 +41,16 @@ services:
       - "${NB_GRAPH_PORT_HOST:-7200}:${NB_GRAPH_PORT:-7200}"
     environment:
       NB_GRAPH_ROOT_CONT: ${NB_GRAPH_ROOT_CONT:-/opt/graphdb/home}
-      NB_GRAPH_ADMIN_PASSWORD: ${NB_GRAPH_ADMIN_PASSWORD}
       NB_GRAPH_USERNAME: ${NB_GRAPH_USERNAME}
-      NB_GRAPH_PASSWORD: ${NB_GRAPH_PASSWORD}
       NB_GRAPH_ADDRESS: ${NB_GRAPH_ADDRESS:-graph}
       NB_GRAPH_PORT: ${NB_GRAPH_PORT:-7200}
       NB_GRAPH_DB: ${NB_GRAPH_DB:-repositories/my_db}
     entrypoint:
       - "/usr/src/neurobagel/scripts/setup.sh"
     working_dir: "/usr/src/neurobagel/scripts"
+    secrets:
+      - db_admin_password
+      - db_user_password
 
   federation:
     image: "neurobagel/federation_api:${NB_FAPI_TAG:-latest}"
@@ -77,4 +83,10 @@ services:
       - "${NB_QUERY_PORT_HOST:-3000}:5173"
     environment:
       NB_API_QUERY_URL: ${NB_API_QUERY_URL}
-      NB_IS_FEDERATION_API: "false"
\ No newline at end of file
+      NB_IS_FEDERATION_API: "false"
+
+secrets:
+  db_admin_password:
+    environment: "NB_GRAPH_ADMIN_PASSWORD"
+  db_user_password:
+    environment: "NB_GRAPH_PASSWORD"
\ No newline at end of file
diff --git a/scripts/api_entrypoint.sh b/scripts/api_entrypoint.sh
new file mode 100755
index 0000000..9c754d8
--- /dev/null
+++ b/scripts/api_entrypoint.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password)
+
+uvicorn app.main:app --proxy-headers --host 0.0.0.0 --port ${NB_API_PORT:-8000}
diff --git a/scripts/setup.sh b/scripts/setup.sh
index 5766fca..47d66cf 100755
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -12,6 +12,9 @@ done
 SCRIPT_DIR=$(dirname "$0")
 mkdir -p ${SCRIPT_DIR}/logs
 
+export NB_GRAPH_ADMIN_PASSWORD=$(cat /run/secrets/db_admin_password)
+export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password)
+
 # Logic for main setup
 main() {
     echo "Setting up a Neurobagel graph backend..."