search

caddy-dns / cloudflare

Caddy module: dns.providers.cloudflare
Apache License 2.0
436 stars 59 forks source link

Source API token from file #46

Closed polarathene closed 1 year ago

polarathene commented 1 year ago

This is similar to an earlier issue, which closed by using caddy run --envfile /path/to/secret to have Caddy treat the secret as an ENV file.

That --envfile solution does allow for run-time ENV fetching with {env.CF_API_TOKEN} to reference the ENV var only accessible from the Caddy process (and thus not leaked to anything else running within the container that can access the ENV or outside the container via commands like docker inspect). Without the env placeholder I think it embeds the ENV in the generated Caddyfile / JSON output.

This works for regular Caddy, but plugins that run with a command like caddy docker-proxy don't support such.

Would it make sense to support similar functionality to the runtime env placeholder, but instead providing the file path to read the contents of the file as a value, such as for dns cloudflare <file_path>?

This issue could be migrated further upstream if there is interest.

mholt commented 1 year ago

Thanks for opening an issue to discuss this!

So basically, you want a placeholder that can specify the env file path? (But then which env var should be used from it?)

polarathene commented 1 year ago

@mholt sorry, I missed your reply somehow :grimacing:

you want a placeholder that can specify the env file path?

I believe rather than ENV, a placeholder or similar functionality to read in the value (secret) from a file, given a filepath?

The docker secrets feature provides a filesystem mount (the decrypted secret as a file in memory, not written to persistent storage), and this would be the secret value such as an API token.

With the --envfile workaround, you'd prefix the API token with an ENV assignment, so that it'd be read in by Caddy as an ENV. Main issue with that was it did not seem compatible with caddy-docker-proxy, where I raised an issue but received no response so far.

So to clarify, intention was to remove any ENV usage, but keep the same security benefit of not writing a secret into the Caddy config, reading the value on-demand only, like the env placeholder feature does.

This feature request seems like it's perhaps too niche, and I've since realized that the feature of Docker Secrets is limited outside of Docker Swarm (which I don't use), for normal Docker containers it's very similar to just bind mounting a local file (the encrypted storage of a secret and configurable file ownership/permissions only seems to work with Docker Swarm last I checked).

Closing as I doubt it's worth your time to implement :sweat_smile: