Implementation of Docker Secrets for BORG Environment Variables
Related to Ticket #47 and PR #246, a possible implementation of Docker Secrets is provided here. This implementation has been rigorously tested and documented. A key feature is that the use of standard environment variables within Docker commands or docker-compose.yml files is preserved. This ensures that those who do not wish to use Docker Secrets can continue to operate as before.
Functionality
The function iterates through all environment variables that begin with BORG, such as BORG_PASSPHRASE. It then looks for variables that end with _FILE. The contents of such a _FILE variable are written to a new variable, the name of which excludes the _FILE suffix.
[!NOTE]
This implementation prioritizes Secrets over regularly set variables.
Debugging
@grantbevis for testing purposes, debugging capabilities have been added. To enable debugging, set the environment variable DEBUG_SECRETS=true.
Permissions
The script also works when the Docker-required chmod 600 permissions are set on the secret files.
borgmatic | Before: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic | Before: BORG_PASSPHRASE_FILE: /run/secrets/borg_passphrase
borgmatic | Note: BORG_PASSPHRASE was already set but is being overwritten by BORG_PASSPHRASE_FILE
borgmatic | Setting BORG_PASSPHRASE from the content of /run/secrets/borg_passphrase
borgmatic | Unsetting BORG_PASSPHRASE_FILE
borgmatic | After: BORG_PASSPHRASE: ThisIsFromTheSecretFile
borgmatic | After: BORG_PASSPHRASE_FILE:
Implementation of Docker Secrets for
BORG
Environment VariablesRelated to Ticket #47 and PR #246, a possible implementation of Docker Secrets is provided here. This implementation has been rigorously tested and documented. A key feature is that the use of standard environment variables within Docker commands or
docker-compose.yml
files is preserved. This ensures that those who do not wish to use Docker Secrets can continue to operate as before.Functionality
The function iterates through all environment variables that begin with
BORG
, such asBORG_PASSPHRASE
. It then looks for variables that end with_FILE
. The contents of such a_FILE
variable are written to a new variable, the name of which excludes the_FILE
suffix.Debugging
@grantbevis for testing purposes, debugging capabilities have been added. To enable debugging, set the environment variable
DEBUG_SECRETS=true
.Permissions
The script also works when the Docker-required
chmod 600
permissions are set on the secret files.Testing
Test 1
Environment:
Result:
Test 2
Environment:
Result:
Test 3
Environment:
Result:
Test 4
Environment:
Result:
Test 5
Environment:
Result: