From 429077e7eb4cec6343c987ed5a47d480dddaee1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BE=90=E5=8B=A4=E6=B0=91?= <xuqinmin@bjca.org.cn>
Date: Thu, 21 May 2026 11:27:47 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20docker=20compose=20?=
 =?UTF-8?q?=E5=8F=98=E9=87=8F=E6=9B=BF=E6=8D=A2=E5=AF=BC=E8=87=B4=20DB/Red?=
 =?UTF-8?q?is=20=E5=AF=86=E7=A0=81=E5=8F=98=E7=A9=BA=E5=AD=97=E7=AC=A6?=
 =?UTF-8?q?=E4=B8=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docker compose 的 environment 块在 shell 缺少 MYSQL_PASSWORD /
REDIS_PASSWORD 时将 SPRING_DATASOURCE_PASSWORD 替换为空字符串，
此空字符串会覆盖 env_file 注入的值，导致 Spring 连接 MySQL/Redis
时使用空密码（using password: NO）。

修复：
1. deploy.sh 在 secrets.env 中额外写入 SPRING_DATASOURCE_PASSWORD
   和 SPRING_DATA_REDIS_PASSWORD，由 env_file 直接注入容器
2. docker-compose.yml 中删除这两个 environment 条目，消除覆盖风险

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 11 ++---------
 scripts/deploy.sh  |  3 +++
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 89ad789..056d4da 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,12 +25,12 @@ services:
       - ./config/tenant/bootstrap.env  # 初始租户配置
     environment:
       # 覆盖 application.yml 中硬编码的生产地址，私有化部署必须保留此块
+      # SPRING_DATASOURCE_PASSWORD / SPRING_DATA_REDIS_PASSWORD 由 secrets.env 注入，
+      # 不在此处设置，避免 compose 变量替换时因 shell 缺少变量而覆盖成空字符串
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
     restart: unless-stopped
 
@@ -50,10 +50,8 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
     volumes:
       - ./data/uploads:/data/uploads   # 上传文件持久化目录
@@ -108,10 +106,8 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
       TENANT_SERVICE_URL: "http://tenant-service:9001"
       PUSH_SERVICE_URL: "http://push-service:8083"
@@ -134,7 +130,6 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
     restart: unless-stopped
 
   # ---------------------------------------------------------------------------
@@ -154,7 +149,6 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SDK_TENANT_SERVICE_URL: "http://tenant-service:9001"
     volumes:
       - ./data/update:/data/update   # 版本包存储目录
@@ -176,5 +170,4 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
     restart: unless-stopped
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 261139a..6ca2798 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -319,6 +319,9 @@ cat > "$ROOT_DIR/config/secrets.env" <<EOF
 MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
 MYSQL_PASSWORD=${MYSQL_PASSWORD}
 REDIS_PASSWORD=${REDIS_PASSWORD}
+# Spring 直接读取的 env 名（避免 docker compose 变量替换时因 shell 缺失变量而变成空字符串）
+SPRING_DATASOURCE_PASSWORD=${MYSQL_PASSWORD}
+SPRING_DATA_REDIS_PASSWORD=${REDIS_PASSWORD}
 EOF
 chmod 600 "$ROOT_DIR/config/secrets.env"
 ok "config/secrets.env 已写入 (chmod 600)"