search

bagetter / BaGetter

A lightweight NuGet and symbol server
https://www.bagetter.com
MIT License
167 stars 39 forks source link

Allow the use of secret files for configuration #41

Closed GotenXiao closed 5 months ago

GotenXiao commented 5 months ago

(The below is also being prepared for inclusion in the documentation for bagetter.github.io.)

Secret files

Mostly useful when running containerised (e.g. using Docker, Podman, Kubernetes, etc), the application will look for files named in the same pattern as environment variables under /run/secrets, or under the secrets subfolder of the path set by BAGET_CONFIG_ROOT - for example, if BAGET_CONFIG_ROOT=/etc/baget:

/etc/baget/secrets/Database__ConnectionString
/run/secrets/Database__ConnectionString

If BAGET_CONFIG_ROOT is unset, only the /run/secrets path will be used. Currently, the load order is such that values in /run/secrets will supersede those in /etc/baget/secrets.

This allows for sensitive values to be provided individually to the application, typically by bind-mounting files. With a Docker Compose example:

version: '2'

services:
  bagetter:
    image: bagetter/bagetter:latest
    volumes:
      # Single file mounted for API key
      - ./secrets/api-key.txt:/run/secrets/ApiKey:ro
      - ./data:/srv/baget
    environment:
      - Database__ConnectionString=Data Source=/srv/baget/bagetter.db
      - Database__Type=Sqlite
      - Mirror__Enabled=false
      - Storage__Type=FileSystem
      - Storage__Path=/srv/baget/packages

Upstream documentation for secrets:

seriouz commented 5 months ago

Thanks for submitting this, great idea to load Docker Secrets!

I can't wrap my head around why reading a static folder $BAGET_CONFIG_ROOT/secrets for secrets is a good idea. In my opinion /run/secrets would be enough. Another idea would be to pass-in a list of folders with secrets; but how useful this is idk.

GotenXiao commented 5 months ago

Given that BAGET_CONFIG_ROOT exists for the purpose of allowing file-based configuration from a custom path, anyone already using it could conceivably benefit from being able to add secret configuration via a subfolder with more constrained permissions (similar to OpenSSL's /etc/ssl and /etc/ssl/private; the latter is usually mode 0700 on *NIX systems).

For my use case, and probably most other users', the /run/secrets path would likely be sufficient.

seriouz commented 5 months ago

Okay, then i would suggest, that we go with only /run/secrets initially (to solve your problem).