Use a password generator for secure passwords

[kowh-ai]

Passwords are hardcoded in the .env file which is then used by docker compose to populate environment variables used in the running containers. These passwords are therefore pretty insecure. Therefore I propose to create a process to generate random secure passwords before the local images are built and before the containers start

The following environment variables will use the passwords generated

1. POSTGRES_PASSWORD
2. CKAN_DB_PASSWORD
3. DATASTORE_READONLY_PASSWORD
4. CKAN_SYSADMIN_PASSWORD

The passwords will be housed in a newly generated file which will have it's permissions locked down to just read-only by the file owner. This file (named .pw) can then be added to both ckan and db services in the docker-compose.yml file as follows:

[pwalsh]

I originally commented in #76 (comment) but this is probably better:

If we are doing this work on random passwords, to bypass having passwords in .env files, perhaps it is worth exploring the docker solution for secrets, which works with docker compose:

https://docs.docker.com/compose/use-secrets/

[pwalsh]

@kowh-ai I looked into this a bit more based on #76 (comment)

I have not implemented this myself .... but according to what I understand from:

• https://gist.github.com/brianjbayer/966769aa0b00bb95b266827862dd511e
• Secrets using bind mounts docker/compose#4368

It does work in some manner in docker compose - not as secure as the docker swarm implementation; not less secure than using .env files.

Anyway, food for thought.