Closed polarathene closed 1 year ago
Thanks for opening an issue to discuss this!
So basically, you want a placeholder that can specify the env file path? (But then which env var should be used from it?)
@mholt sorry, I missed your reply somehow :grimacing:
you want a placeholder that can specify the env file path?
I believe rather than ENV, a placeholder or similar functionality to read in the value (secret) from a file, given a filepath?
The docker secrets feature provides a filesystem mount (the decrypted secret as a file in memory, not written to persistent storage), and this would be the secret value such as an API token.
With the --envfile
workaround, you'd prefix the API token with an ENV assignment, so that it'd be read in by Caddy as an ENV. Main issue with that was it did not seem compatible with caddy-docker-proxy
, where I raised an issue but received no response so far.
So to clarify, intention was to remove any ENV usage, but keep the same security benefit of not writing a secret into the Caddy config, reading the value on-demand only, like the env
placeholder feature does.
This feature request seems like it's perhaps too niche, and I've since realized that the feature of Docker Secrets is limited outside of Docker Swarm (which I don't use), for normal Docker containers it's very similar to just bind mounting a local file (the encrypted storage of a secret and configurable file ownership/permissions only seems to work with Docker Swarm last I checked).
Closing as I doubt it's worth your time to implement :sweat_smile:
This is similar to an earlier issue, which closed by using
caddy run --envfile /path/to/secret
to have Caddy treat the secret as an ENV file.That
--envfile
solution does allow for run-time ENV fetching with{env.CF_API_TOKEN}
to reference the ENV var only accessible from the Caddy process (and thus not leaked to anything else running within the container that can access the ENV or outside the container via commands likedocker inspect
). Without theenv
placeholder I think it embeds the ENV in the generatedCaddyfile
/ JSON output.This works for regular Caddy, but plugins that run with a command like
caddy docker-proxy
don't support such.Would it make sense to support similar functionality to the runtime
env
placeholder, but instead providing the file path to read the contents of the file as a value, such as fordns cloudflare <file_path>
?This issue could be migrated further upstream if there is interest.