search

mbecker20 / komodo

🦎 a tool to build and deploy software on many servers 🦎
GNU General Public License v3.0
1.21k stars 20 forks source link

[Feature] Use docker secrets for config options #74

Open Cheezzhead opened 6 days ago

Cheezzhead commented 6 days ago

Some environment variables, such as DB_PASSWORD and KOMODO_PASSKEY, contain sensitive data that should be excluded from the compose file and/or environment file. Typically this is achieved by adding them to the container as a secret file. To make this work, Komodo should be able to read the variables from a file instead of from the environment directly, e.g.:

services:
  # ...

  core:
    image: ghcr.io/mbecker20/komodo:latest
    # ...
    secrets:
      - komodo_postgres_pass
      - komodo_passkey
    environment:
      # ...
      DB_PASSWORD_FILE: /run/secrets/komodo_postgres_pass
      KOMODO_PASSKEY_FILE: /run/secrets/komodo_passkey
      # etc..

secrets:
  komodo_postgres_pass:
    file: /home/user/.docker/secrets/postgres/komodo_pass
  komodo_passkey:
    file: /home/user/.docker/secrets/komodo/passkey

For Komodo's part, all it would need to do is recognize these _FILE variables and assign their contents to the correct environment variable during initialization (e.g. DB_PASSWORD=$(cat "$DB_PASSWORD_FILE"); export DB_PASSWORD).

Note: After reading the docs some more I saw this section. While this is indeed a solution that keeps sensitive data out of the environment, it's not really ideal because config files aren't really 'secrets'; they don't operate in the same way when it comes to mounting, and are typically not stored in the same directory and/or with the same permissions.

mbecker20 commented 4 days ago

Thanks for pointing this out, I can definitely implement this standard for the next release.