-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add _FILE environment variable variants to read sensitive configuration from files #475
Comments
@Radiergummi that seems like a pretty easy workaround and nice solution that covers any and all secrets held in the config both today and tomorrow. I think using a template or As per https://docs.docker.com/engine/swarm/secrets/ ... Most VP configs come in at less that 5KB (or even less that 2KB) so there's plenty of room to work with there. If we linked to this issue from the README would that suffice to document this mechanism? |
@bnfinet Yep, sure. It works fine this way :) |
We're running Vouch in our Swarm cluster. All applications are configured from the CI deployment pipeline, and Vouch is no exception here. Currently, the JWT secret and OAuth provider configuration have to be passed as environment variables, which provides no protection for the values, so they are visible from internal monitoring dashboards which are accessible to all developers. We would like to restrict access to sensitive data like the OAuth client credentials however.
This is easily possible by using Docker Secrets, which essentially mount secret values as files below
/run/secret/
. Lots of applications include support forACME_SECRET
andACME_SECRET_FILE
to allow passing the path of a file instead of the secret value itself.It would be great if Vouch supported
_FILE
variants of sensitive configuration settings, or maybe just all of them!In the mean time, there's a workaround: Dynamically generating a configuration file and providing that as a secret:
The configuration itself could be written using something like this in a build script:
The text was updated successfully, but these errors were encountered: