Passphrase rotation doesn't work

[jeaye]

According to the readme, just changing the vars within docker-compose.yaml should properly update all passphrases. Instead, the next container cluster boot ends abruptly with some unhappy services. So far, it looks like this is what's needed:

• [ ] Secret generation should always happen (https://github.com/zulip/docker-zulip/blob/master/entrypoint.sh#L205)
• [ ] Postgres' entrypoint needs to properly update when given a new passphrase

[timabbott]

Making secret generation always run should be safe and easy; we actually do that in the non-Docker Zulip webapp upgrade script already (scripts/lib/upgrade-zulip-stage-2 in zulip/zulip), so I don't expect any issues with just changing the logic in entrypoint.sh to just always run it.

The postgres issue is actually kinda annoying; here's the upstream docker-entrypoint.sh. It just makes no attempt to do anything in the event that the database has already been created: https://github.com/docker-library/postgres/blob/eff90effc6b5578be90bef93d96b3fceb1082a7c/10/docker-entrypoint.sh

So there are two options:

• Give instructions for how to do a docker exec into the postgres image to run psql to run the appropriate ALTER USER command.
• Submit a PR upstream extending the postgres image to auto-change the password in its docker-entrypoint.sh, and modify Dockerfile-postgresql in zulip/zulip to copy the patched version of the file in place (so we don't need to wait for upstream to merge).

[timabbott]

For the second option above, I just opened https://github.com/docker-library/postgres/issues/487.