Support setting secret via file instead of environment variable

[PaulSD]

In general, environment variables are NOT a safe way to pass sensitive values. Environment variables are often visible to all processes on the container host, and they may be written to output or logs in some cases. For security, files (either bind-mounted or copied from the host) should always be used instead of environment variables to pass sensitive values.

[PaulSD]

Note that the 'openproject' Docker image also improperly uses environment variables for several sensitive values by default. However, for that image (unlike this image without this PR) it is possible to override the default behavior and pass in sensitive values using files without modifying the existing Docker image:

• For the database password:
  Create a file containing db:5432:*:<user>:<password> (substitute actual values for <user> and <password>) and mount it at /home/app/.pgpass, then remove the password from the DATABASE_URL environment variable (but keep the username in the URL).
• For the Rails secret_key_base value:
  (This value is critical for security in production environments, and is mentioned in the OpenProject Manual and all-in-one Docker install instructions but is missing from the Docker Compose example config and instructions.)
  Create a file containing Rails.application.config.secret_key_base = '<random value>' (substitute an actual value for <random value>) and mount it at /app/config/initializers/secret_key_base.rb.
• For the Hocuspocus secret:
  Create a file containing OpenProject::Configuration[:collaborative_editing_hocuspocus_secret] = '<random value>' (substitute an actual value for <random value>) and mount it at /app/config/initializers/hocuspocus_secret.rb.

[brunopagno]

Hey, thanks a lot for the contribution. The solution looks good to me. Only two small details: I suggested a fix on the code. And we need at least to mention the env variable on the README.

Let me know if you'd like to handle that. Otherwise I can take it over.

🙇

[brunopagno]

Small fix, but since we're importin readFileSync we don't need to prefix the function call with the fs. on line 8

Suggested change

	const SECRET = (
	process.env.SECRET_FILE
	? fs.readFileSync(process.env.SECRET_FILE, { encoding: 'utf8', flag: 'r' })
	: process.env.SECRET
	);
	const SECRET = (
	process.env.SECRET_FILE
	? readFileSync(process.env.SECRET_FILE, { encoding: 'utf8', flag: 'r' })
	: process.env.SECRET
	);

[oliverguenther]

Once that's merged, could you please add this option to the documentation at https://github.com/opf/helm-charts/blob/main/charts/openproject/README.md, so that we inform users about their choices?

[akabiru]

Hello @PaulSD , if it's not too much trouble- please raise the PR against the core OpenProject core repo- as we have merged this repo on there. https://github.com/opf/openproject/tree/dev/extensions/op-blocknote-hocuspocus

#56

I created a work package to track this work: https://community.openproject.org/wp/72250