From 58765eb148132d38c92d7d81768bb6ec1af1aa38 Mon Sep 17 00:00:00 2001
From: Matt Fisher <mfisher87@gmail.com>
Date: Thu, 21 Dec 2023 17:37:47 -0700
Subject: [PATCH] Fixup cert secret envvars, require only in prod

---
 compose.prod.yml |  7 +++++++
 compose.yml      | 12 +++++-------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/compose.prod.yml b/compose.prod.yml
index 06777562..21d6910b 100644
--- a/compose.prod.yml
+++ b/compose.prod.yml
@@ -1,3 +1,10 @@
+secrets:
+  tls-cert-file:
+    file: "${TLS_CERT_FILE:?TLS_CERT_FILE must be set}"
+  tls-key-file:
+    file: "${TLS_KEY_FILE:?TLS_KEY_FILE must be set}"
+
+
 services:
   usaon-benefit-tool:
     image: "nsidc/usaon-benefit-tool:${USAON_BENEFIT_TOOL_VERSION:?USAON_BENEFIT_TOOL_VERSION must be set}"
diff --git a/compose.yml b/compose.yml
index df1b6732..bfb15803 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,13 +1,11 @@
 secrets:
+  # HACK: the /dev/null default is because a value must be provided no matter
+  # what, but I don't want these envvars to be mandatory by default. Shouldn't
+  # need envvars to e.g. `docker compose exec` or `docker compose run`!
   tls-cert-file:
-    file: "${TLS_CERT_FILE:?TLS_CERT_FILE must be set}"
-    # TODO: Re-enable `external` (i.e. require pre-existence) when compose
-    # supports this. When `external: true`, I get:
-    #     unsupported external secret ...
-    # external: true
+    file: "${TLS_CERT_FILE:-/dev/null}"
   tls-key-file:
-    file: "${TLS_KEY_FILE:?TLS_KEY_FILE must be set}"
-      # external: true
+    file: "${TLS_KEY_FILE:-/dev/null}"
 
 
 services: