search

edgedb / edgedb-docker

Official Docker Image packaging for EdgeDB
81 stars 16 forks source link

Add a script to export secrets #44

Closed elprans closed 2 years ago

elprans commented 2 years ago

This adds edgedb-show-secrets.sh to the container as a way to easily obtain the raw value of a specific known secret, or a set of specified secrets, or all of known secrets, in TOML format:

   docker exec <container> edgedb-show-secrets.sh \
       --format=toml EDGEDB_SERVER_TLS_CERT EDGEDB_SERVER_TLS_KEY

or

   docker exec <container> edgedb-show-secrets.sh \
       --format=shell --all

This helper is especially useful when one wants to preserve the generated TLS certificate and key as a secret on a hosting platform.

tailhook commented 2 years ago
  1. Why TOML format? How do you expect it to be used?
  2. --specifically= is named quite weirdly. Why not just edgedb-show-secrets.sh EDGEDB_SERVER_TLS_CERT?
elprans commented 2 years ago
  1. Why TOML format? How do you expect it to be used?

flyctl secrets import. There is no way to set secrets one by one without deploying, and setting them separately causes a failure and a rollback. Regardless, TOML is the only sensible format for multiple multiline values. Also, non-multiline format is just KEY="VAL", which is compatible with shells, though we probably want to add shell format explicitly. I can add a required --format=toml if you're worried about the sensibility of it being the default.

  1. --specifically= is named quite weirdly. Why not just edgedb-show-secrets.sh EDGEDB_SERVER_TLS_CERT?

Because --specifically outputs the raw value of the single specified secret, and positional arguments are used to filter which secrets get included in TOML output, so:

edgedb-show-secrets.sh EDGEDB_SERVER_TLS_CERT

Outputs

EDGEDB_SERVER_TLS_CERT=...

And 

edgedb-show-secrets.sh --specifically=EDGEDB_SERVER_TLS_CERT

Outputs

---BEGIN CERT...
tailhook commented 2 years ago
  1. Why TOML format? How do you expect it to be used?

flyctl secrets import. There is no way to set secrets one by one without deploying, and setting them separately causes a failure and a rollback. Regardless, TOML is the only sensible format for multiple multiline values. Also, non-multiline format is just KEY="VAL", which is compatible with shells, though we probably want to add shell format explicitly. I can add a required --format=toml if you're worried about the sensibility of it being the default.

Yes, adding --format makes sense. We don't use toml output by default anywhere. And its very rarely used as output format (i.e. I don't remember I've ever seen that).

  1. --specifically= is named quite weirdly. Why not just edgedb-show-secrets.sh EDGEDB_SERVER_TLS_CERT?

Because --specifically outputs the raw value of the single specified secret, and positional arguments are used to filter which secrets get included in TOML output, so:

edgedb-show-secrets.sh EDGEDB_SERVER_TLS_CERT

Outputs

EDGEDB_SERVER_TLS_CERT=...

And

edgedb-show-secrets.sh --specifically=EDGEDB_SERVER_TLS_CERT

Outputs

---BEGIN CERT...

Oh, this is even more confusing. It's better to output raw by default and include a key with --format=toml if we adding it anyway.

Other than that --specifically is very sophisticated word which on the other hand isn't very precise in meaning and almost never used in any APIs, any of the below are quicker to find in my memory and would be as precise as --specifically (except --get-raw which says more):

elprans commented 2 years ago

It's better to output raw by default and include a key with --format=toml if we adding it anyway. [...] Other than that --specifically is very sophisticated word which

How about --format=raw to show values without keys?

tailhook commented 2 years ago

How about --format=raw to show values without keys?

That would work. It even may work fine with two keys, if those two keys are certificate and private key.