SchoolGuy
commented
1 month ago If the maintainers accept this feature request I am able to contribute this feature as I have a dedicated time budget at work to do these kinds of contributions.
Open SchoolGuy opened 1 month ago
SchoolGuy
commented
1 month ago If the maintainers accept this feature request I am able to contribute this feature as I have a dedicated time budget at work to do these kinds of contributions.
SuperQ
commented
1 month ago Configuration files are more safe than env vars. I recommend against doing this.
SchoolGuy
commented
1 month ago @SuperQ If the source of truth is a Git repository then credential leakage is much more likely if you have the full configuration file stored inside Git. If the credentials are stored separately to the configuration file the likelihood is much lesser. Encrypting full configuration files is a practice I have never heard of.
Since the behavior I am desiring is opt-in I don't see why one should give a recommendation against this new functionality. Even more, it has been standard practice to configure daemons via environment variables since the dawn of time (notably /etc/sysconfig as the most famous option).
As a user
I want to avoid storing sensitive data in configuration files
so that I can easily store the configuration files inside of version control systems.
Now a bit more details of what my issue is: I am using the provided Docker Hub image and am using docker-compose to start my monitoring stack. The configuration data as well as the compose file is currently under version control in Git. This opens up the issue of passwords needing to be written in plain text and stored in Git.
My idea to solve this would be to load the username and password from environment variables with the following schema:
I that this is what #155 was about in the end.