web: Read Postgres secret from Docker secrets

This fixes an issue where the Postgres password was not found in the
environment in Docker Swarm.

We look for a ``POSTGRES_PASSWORD_FILE``, and fallback to a hardcoded
``/run/secrets`` path if we don't find it.

Fixes: 312bf52 ("web: Add a custom data layer retrieval method")
Ref: AP-530

Author: awilfox

willa/config/__init__.py

@@ -111,7 +111,7 @@
 
 _NEEDS_ENVIRON: list[str] = ['AWS_DEFAULT_REGION', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY',
                              'LANGFUSE_HOST', 'LANGFUSE_PUBLIC_KEY', 'LANGFUSE_SECRET_KEY',
-                             'CHAINLIT_AUTH_SECRET']
+                             'CHAINLIT_AUTH_SECRET', 'POSTGRES_PASSWORD_FILE']
 """A list of configuration keys that need to be set in the environment as well."""
 
 for key in _NEEDS_ENVIRON:

willa/web/app.py

@@ -57,8 +57,16 @@ def data_layer() -> ChainlitDataLayer:
     def _pg(var: str) -> str:
         return os.environ[f'POSTGRES_{var}']
 
+    def _secret() -> str:
+        if 'POSTGRES_PASSWORD' in os.environ:
+            return os.environ['POSTGRES_PASSWORD']
+
+        with open(os.environ.get('POSTGRES_PASSWORD_FILE',
+                                 '/run/secrets/POSTGRES_PASSWORD'), 'r', encoding='utf8') as p_file:
+            return p_file.read()
+
     database_url = os.environ.get(
-        'DATABASE_URL', f"postgresql://{_pg('USER')}:{_pg('PASSWORD')}@{_pg('HOST')}/{_pg('DB')}"
+        'DATABASE_URL', f"postgresql://{_pg('USER')}:{_secret()}@{_pg('HOST')}/{_pg('DB')}"
     )
     return ChainlitDataLayer(database_url=database_url)