Closed GotenXiao closed 5 months ago
Thanks for submitting this, great idea to load Docker Secrets!
I can't wrap my head around why reading a static folder $BAGET_CONFIG_ROOT/secrets
for secrets is a good idea. In my opinion /run/secrets
would be enough. Another idea would be to pass-in a list of folders with secrets; but how useful this is idk.
Given that BAGET_CONFIG_ROOT
exists for the purpose of allowing file-based configuration from a custom path, anyone already using it could conceivably benefit from being able to add secret configuration via a subfolder with more constrained permissions (similar to OpenSSL's /etc/ssl
and /etc/ssl/private
; the latter is usually mode 0700
on *NIX systems).
For my use case, and probably most other users', the /run/secrets
path would likely be sufficient.
Okay, then i would suggest, that we go with only /run/secrets
initially (to solve your problem).
(The below is also being prepared for inclusion in the documentation for
bagetter.github.io
.)Secret files
Mostly useful when running containerised (e.g. using Docker, Podman, Kubernetes, etc), the application will look for files named in the same pattern as environment variables under
/run/secrets
, or under thesecrets
subfolder of the path set byBAGET_CONFIG_ROOT
- for example, ifBAGET_CONFIG_ROOT=/etc/baget
:If
BAGET_CONFIG_ROOT
is unset, only the/run/secrets
path will be used. Currently, the load order is such that values in/run/secrets
will supersede those in/etc/baget/secrets
.This allows for sensitive values to be provided individually to the application, typically by bind-mounting files. With a Docker Compose example:
Upstream documentation for secrets: