search

traefik / traefik

The Cloud Native Application Proxy
https://traefik.io
MIT License
50.4k stars 5.03k forks source link

Read Consul HTTP Token from a file #3602

Open Beanow opened 6 years ago

Beanow commented 6 years ago

Do you want to request a feature or report a bug?

Feature

What did you expect to see?

CONSUL_HTTP_TOKEN seems to be the only documented way to use Consul ACLs. In Docker Swarm configurations this token should be read from a file instead. As ENV vars are not treated as secret and will leak.

An alternative such as CONSUL_HTTP_TOKEN_FILE or better yet --consul.httpTokenFile and it's TOML equivalent would be much better for swarm security.

endersonmaia commented 6 years ago

I think the scope is broader, and treafik should be adapted to read the contents of files when a file path is passed via special ENV variable

The suffix _FILE is a good alternative, and it's being used in official docker images like this.

So the issue cloud be something like : "Add _FILE suffix as an alternative to use file contents as the value of the variable."

My case is for ACME DNS Challenge for Cloudflare, and to save the CLOUDFLARE_API_KEY as a docker secret.

Just use a CLOUDFLARE_API_KEY_FILE instead of CLOUDFLARE_API_KEY could solve.

Ex.:

    environment:
      - CLOUDFLARE_EMAIL=me@example.com
      - CLOUDFLARE_API_KEY_FILE="/run/secrets/cloudflare_api_key"