search

kernelci / kernelci-frontend

Upstream Linux Kernel Validation Project Dashboard
http://kernelci.org
GNU Lesser General Public License v2.1
29 stars 25 forks source link

Provide AUTH_TOKEN as an env var or a Docker secret #18

Open lucj opened 7 years ago

lucj commented 7 years ago

To ease the provisioning of the AUTH_TOKEN, and because it contains sensitive info, I was thinking the BACKEND_TOKEN could be provided as an env variable (for development) and as a Swarm secret (for production). What about adding a method in the frontend that could check those location prior checking the conf file ?

It could be something like the following which first checks if the key is present in the env and then checks if it's present in /run/secrets/label, a tmpfs file which is the default location for Docker Swarm secrets (this location could also be used to mount a secret in k8s though).

def get_param(label):
    """Get parameter from env var or Docker secret
    This function check if a given parameter is provided as an env variable,
    or as a Docker secret (within /run/secrets/label)
    :param label: The label to be retrieved
    """
    try:
        value = os.environ[label]
        return value
    except:
        pass
    try:
        with open('/run/secrets/' + label, 'r') as secret:
            value = secret.read().strip('\n')
            return value
    except:
        return None

Which could be called (in app/dashboard/utils/backend.py) like:

AUTH_TOKEN = get_param("BACKEND_TOKEN") or CONFIG_GET("BACKEND_TOKEN")

Any though ?

MiloCasagrande commented 7 years ago

The approach looks good, although I would load all the configuration parameters in one single place like in the dashboard/__init__.py and store everything in the app.config context (the last load wins).