Closed Emiliaaah closed 1 month ago
The 2 options I've thought of to implement this so far (in hindsight only really 1) are as follows:
Option 1 would be implementing the just like the Cloud integrations, this option wouldn't be viable since Infisical would need to be able to access the portainer API which is hosted locally and in normal circumstances not exposed to the internet.
Option 2 would be implementing them into the cli agent. I think this would be the better option overall, since you wouldn't have the issue mentioned in option 1, you also have more control over how your config looks using the templates. Something this enables injecting secrets from other projects into this one (wouldn't really be needed that much if you could already share these variables server side). Here's just a rough example of how the config could look like with this implemented.
infisical:
address: "https://app.infisical.com"
auth:
- type: "universal-auth"
config:
client-id: "./client-id"
client-secret: "./client-secret"
remove_client_secret_on_read: false
- type: "portainer"
config:
username: "my-username"
password: "my-super-secure-password"
sinks:
- type: "file"
config:
path: "/some/path/to/store/access-token/file-name"
templates:
# type: file would in this case be the default if none specified and would act like how the agent currently works
- source-path: my-dot-ev-secret-template
destination-path: /some/path/.env
- type: portainer
source-path: my-dot-ev-secret-template
stack_id: 1
For the templates you might want to also put all the setting under "config" like what is being done for auth and sinks instead of doing it like in my example.
Depending on where and how we intend to implement this I wouldn't mind taking a shot at implementing this myself.
The comment above is like I've said only a rough sketch and in no way final, but I'd love to get some feedback on this. And hopefully work this out some more, if this feature is something you find fitting for this Infisical.
+1 to the proposal.
A couple of suggestions, I'd like to make, as modifications to the proposal:
Feature description
It would be great if there was some way to sync secrets in Infisical to the environment variables for a docker stack and automatically deploy the stack with the new variables.
Why would it be useful?
This would make integrating Infisical a lot easier in environments using portainer to manage all docker stacks.
Additional context
Currently the best option (in my opinion) is using the Infisical agent. You can use the agent to write environment variables to a docker volume which portainer has access to to then reference this file in the docker compose using the
env_file
directive. When I was trying to set this up I ran into an issue though. In your docker compose files you can use environment variables passed into your compose command anywhere in your compose file, which includes referencing them in labels for a service, or basically anywhere else.Since portainer loads in the environment variables it has stored itself you can reference these just like normal everywhere in your compose file. Unlike my solution with the Infisical agent.
Pushing these new variables can quite easily be applied using the portainer API, from my quick look through the portainer API.