[MNT] Use docker compose secrets for sensitive credentials (#50)

* update graph and API entrypoints to fetch secrets

* mention local_federation profile in README

README.md

@@ -21,7 +21,7 @@ For detailed instructions on the deployment options for Neurobagel, see the offi
 
     Ensure to edit the configuration file(s) according to your deployment.
 
-    :warning: **Note**: You **must** change the value of the `NB_API_QUERY_URL` variable in the `.env` file before you can launch any service stack that includes a query tool (i.e., `local_node_query`, `full_stack`). 
+    :warning: **Note**: You **must** change the value of the `NB_API_QUERY_URL` variable in the `.env` file before you can launch any service stack that includes a query tool (i.e., `local_node_query`, `full_stack`, `local_federation`). 
 See comments in the `.env` file for more information.
 
 3. In the repository root, start the Docker Compose stack and specify your desired deployment profile
@@ -40,8 +40,16 @@ See comments in the `.env` file for more information.
     docker compose --profile local_node_query up -d
     ```
 
-    **To set up a local node and local federation (including a graphical query tool):**
+    **To set up a local node and local federation (including a graphical query tool) all at once:**
     ```bash
     docker compose --profile full_stack up -d
     ```
+
+    **To set up federation only:**
+
+    You may want to do this if you already have local or remote node(s) set up that you now want to send federated queries to.
+    ```bash
+    docker compose --profile local_federation up -d
+    ```
+
 A log file `DEPLOY.log` will be automatically created under `scripts/logs/` with a copy of the STDOUT from the automatic deployment process.

docker-compose.yml

@@ -12,14 +12,19 @@ services:
       - "${NB_NAPI_PORT_HOST:-8000}:${NB_NAPI_PORT:-8000}"
     environment:
       NB_GRAPH_USERNAME: ${NB_GRAPH_USERNAME}
-      NB_GRAPH_PASSWORD: ${NB_GRAPH_PASSWORD}
       NB_GRAPH_ADDRESS: ${NB_GRAPH_ADDRESS:-graph}
       NB_GRAPH_PORT: ${NB_GRAPH_PORT:-7200}
       NB_GRAPH_DB: ${NB_GRAPH_DB:-repositories/my_db}
       NB_RETURN_AGG: ${NB_RETURN_AGG:-true}
       NB_API_PORT: ${NB_NAPI_PORT:-8000}
       NB_API_ALLOWED_ORIGINS: ${NB_NAPI_ALLOWED_ORIGINS}
-
+    volumes:
+      - "./scripts/api_entrypoint.sh:/usr/src/api_entrypoint.sh"
+    entrypoint:
+      - "/usr/src/api_entrypoint.sh"
+    secrets:
+      - db_user_password
+
   graph:
     image: "${NB_GRAPH_IMG:-ontotext/graphdb:10.3.1}"
     profiles:
@@ -36,15 +41,16 @@ services:
       - "${NB_GRAPH_PORT_HOST:-7200}:${NB_GRAPH_PORT:-7200}"
     environment:
       NB_GRAPH_ROOT_CONT: ${NB_GRAPH_ROOT_CONT:-/opt/graphdb/home}
-      NB_GRAPH_ADMIN_PASSWORD: ${NB_GRAPH_ADMIN_PASSWORD}
       NB_GRAPH_USERNAME: ${NB_GRAPH_USERNAME}
-      NB_GRAPH_PASSWORD: ${NB_GRAPH_PASSWORD}
       NB_GRAPH_ADDRESS: ${NB_GRAPH_ADDRESS:-graph}
       NB_GRAPH_PORT: ${NB_GRAPH_PORT:-7200}
       NB_GRAPH_DB: ${NB_GRAPH_DB:-repositories/my_db}
     entrypoint:
       - "/usr/src/neurobagel/scripts/setup.sh"
     working_dir: "/usr/src/neurobagel/scripts"
+    secrets:
+      - db_admin_password
+      - db_user_password
 
   federation:
     image: "neurobagel/federation_api:${NB_FAPI_TAG:-latest}"
@@ -77,4 +83,10 @@ services:
       - "${NB_QUERY_PORT_HOST:-3000}:5173"
     environment:
       NB_API_QUERY_URL: ${NB_API_QUERY_URL}
-      NB_IS_FEDERATION_API: "false"
+      NB_IS_FEDERATION_API: "false"
+
+secrets:
+  db_admin_password:
+    environment: "NB_GRAPH_ADMIN_PASSWORD"
+  db_user_password:
+    environment: "NB_GRAPH_PASSWORD"

scripts/api_entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password)
+
+uvicorn app.main:app --proxy-headers --host 0.0.0.0 --port ${NB_API_PORT:-8000}

scripts/setup.sh

@@ -12,6 +12,9 @@ done
 SCRIPT_DIR=$(dirname "$0")
 mkdir -p ${SCRIPT_DIR}/logs
 
+export NB_GRAPH_ADMIN_PASSWORD=$(cat /run/secrets/db_admin_password)
+export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password)
+
 # Logic for main setup
 main() {
     echo "Setting up a Neurobagel graph backend..."