Add secrets file support for docker

[ChrisFromCnC]

I propose to add support to dockerfile secrets for PBS_USERNAME, PBS_API_TOKEN_NAME and PBS_API_TOKEN.

Idea is to move secrets outside of docker-compose file for instance for security purpose.

As example a docker-compose file can be created like this: proxmoxbackup: image: ghcr.io/natrontech/pbs-exporter:0.1.5 container_name: proxmoxbackup restart: always secrets:

• proxmoxbackup-username
• proxmoxbackup-api-token-name
• proxmoxbackup-api-token environment: PBS_USERNAME_FILE: /run/secrets/proxmoxbackup-username PBS_API_TOKEN_NAME_FILE: /run/secrets/proxmoxbackup-api-token-name PBS_API_TOKEN_FILE: /run/secrets/proxmoxbackup-api-token

secrets: proxmoxbackup-username: file: "./.secrets/proxmoxbackup_username.secret" proxmoxbackup-api-token-name: file: "./.secrets/proxmoxbackup_api_token_name.secret" proxmoxbackup-api-token: file: "./.secrets/proxmoxbackup_api_token.secret"

All secrets are now stored in a folder .secrets.

Convention naming for secrets in docker is to add _FILE to regular environnement variable. In our case we need to manage PBS_USERNAME_FILE, PBS_API_TOKEN_NAME_FILE and PBS_API_TOKEN_FILE env variables.

I just adapt the main.go to read the new env variable for the secret file name and read the first line from the file.

Sorry I cannot add a file here so I post a diff of main

diff --git a/main.go b/main.go index 1e6686d..cd8cd88 100644 --- a/main.go +++ b/main.go @@ -1,6 +1,7 @@ package main

import (

• "bufio" "crypto/tls" "encoding/json" "flag" @@ -234,6 +235,24 @@ type Exporter struct { authorizationHeader string }

+func ReadSecretFile(secretfilename string) string {

• file, err := os.Open(secretfilename)
• // flag to check the file format
• if err != nil {
• log.Fatal(err)
• }
• // Close the file
• defer func() {
• if err = file.Close(); err != nil {
• log.Fatal(err)
• }
• }()
• // Read the first line
• line := bufio.NewScanner(file)
• line.Scan()
• return line.Text() +}

• func NewExporter(endpoint string, username string, apitoken string, apitokenname string) Exporter { return &Exporter{ endpoint: endpoint, @@ -660,12 +679,24 @@ func main() { } if os.Getenv("PBS_USERNAME") != "" { username = os.Getenv("PBS_USERNAME")

• } else {
• if os.Getenv("PBS_USERNAME_FILE") != "" {
• *username = ReadSecretFile(os.Getenv("PBS_USERNAME_FILE"))
• } } if os.Getenv("PBS_API_TOKEN_NAME") != "" { *apitokenname = os.Getenv("PBS_API_TOKEN_NAME")
• } else {
• if os.Getenv("PBS_API_TOKEN_NAME_FILE") != "" {
• *apitokenname = ReadSecretFile(os.Getenv("PBS_API_TOKEN_NAME_FILE"))
• } } if os.Getenv("PBS_API_TOKEN") != "" { *apitoken = os.Getenv("PBS_API_TOKEN")
• } else {
• if os.Getenv("PBS_API_TOKEN_FILE") != "" {
• *apitoken = ReadSecretFile(os.Getenv("PBS_API_TOKEN_FILE"))
• } } if os.Getenv("PBS_TIMEOUT") != "" { *timeout = os.Getenv("PBS_TIMEOUT")

[janfuhrer]

Hi @ChrisFromCnC

Thanks for opening the issue. It sounds reasonable to me to add this functionality as long as both methods work (with and without docker secrets).

Feel free to open a PR with your changes and we will test and verify your implementation.

[janfuhrer]

implemented in #11 released in 0.3.0

Thanks again @ChrisFromCnC !