Closed travisbcotton closed 7 months ago
I think this is way better than reading and writing the same config file from within the container. Password generation and management is relegated outside of the container.
Would it be worth it to separate the secrets from the actual configuration? That way, if a secret manager/vault is used later on, if the configuration needs to be changed, the whole configuration file wouldn't have to be unlocked. E.g. ochami.yaml
and ochami-secrets.yaml
.
Also, I presume that instead of having SMD be the service that ingests the secret, you meant to put ochami-init
?
ugh, yes on the smd-init part. I copied the wrong stanza.
I've created a new issue (#21) in the roadmap project to make this our preferred standard. We can close this one.
Secrets can be added via ENV variables or files on the host Files on the host can be plaintext files and can be added as secrets and used by services in the compose file. Secret as a file example below
compose.yaml
This can be a complex file and the syntax and structure will be preserved.
We can use this to bring in the ochami-init config file to generate users in the various databases. Then we won't need to generate passwords every time we run the init.
Here is an example of how we might use files to bring in the
ochami-init
config fileThere shouldn't be a need to write to that config anymore. But we will still need a way to generate the initial passwords and a safe place to keep the ochami.yaml config file