To ease the provisioning of the AUTH_TOKEN, and because it contains sensitive info, I was thinking the BACKEND_TOKEN could be provided as an env variable (for development) and as a Swarm secret (for production). What about adding a method in the frontend that could check those location prior checking the conf file ?
It could be something like the following which first checks if the key is present in the env and then checks if it's present in /run/secrets/label, a tmpfs file which is the default location for Docker Swarm secrets (this location could also be used to mount a secret in k8s though).
def get_param(label):
"""Get parameter from env var or Docker secret
This function check if a given parameter is provided as an env variable,
or as a Docker secret (within /run/secrets/label)
:param label: The label to be retrieved
"""
try:
value = os.environ[label]
return value
except:
pass
try:
with open('/run/secrets/' + label, 'r') as secret:
value = secret.read().strip('\n')
return value
except:
return None
Which could be called (in app/dashboard/utils/backend.py) like:
AUTH_TOKEN = get_param("BACKEND_TOKEN") or CONFIG_GET("BACKEND_TOKEN")
The approach looks good, although I would load all the configuration parameters in one single place like in the dashboard/__init__.py and store everything in the app.config context (the last load wins).
To ease the provisioning of the AUTH_TOKEN, and because it contains sensitive info, I was thinking the BACKEND_TOKEN could be provided as an env variable (for development) and as a Swarm secret (for production). What about adding a method in the frontend that could check those location prior checking the conf file ?
It could be something like the following which first checks if the key is present in the env and then checks if it's present in /run/secrets/label, a tmpfs file which is the default location for Docker Swarm secrets (this location could also be used to mount a secret in k8s though).
Which could be called (in app/dashboard/utils/backend.py) like:
Any though ?