Using secrets #80
Using secrets #80
Conversation
demo/Dockerfile
Outdated
| @@ -22,7 +22,6 @@ RUN --mount=type=cache,target=/root/.composer/cache \ | |||
| drupal/facets:^1.3 \ | |||
| drupal/matomo:^1.7 \ | |||
| drupal/pdf:1.x-dev \ | |||
| drupal/rdfui:^1.0-beta1 \ | |||
There was a problem hiding this comment.
I assume this is fine, just thought I'd bring attention to it if it was intended for another branch or commit.
| set -e | ||
|
|
||
| # Read any secret files specified in environment variables. | ||
| echo "$(env | grep '=secret:')" | while read line |
There was a problem hiding this comment.
Could you put instructions into the README? It looks like you have to do a specific thing with a filename to make this work, and we shouldn't assume people will go read the code to figure it out.
There was a problem hiding this comment.
And can you add your SECRETfile as a template to this repo?
There was a problem hiding this comment.
If you scroll to "By .env technique" here you can see how to load a second .yml file by changing your COMPOSE_FILE declaration in your .env file https://stackoverflow.com/questions/55650342/import-docker-compose-file-in-another-compose-file
There was a problem hiding this comment.
I put example secret files in Islandora-Devops/isle-dc#123
|
I've made an associated pull to isle-dc: Islandora-Devops/isle-dc#123 I'll try to document it in the README as best I can here. |
|
I decided it fit better in isle-dc than here. I updated the PR to include a secrets chunk in the README. |
|
@nigelgbanks Any chance we can get this in to help with Islandora-Devops/isle-dc#126? |
|
@dannylamb per your request here Islandora-Devops/isle-dc#126 (comment) I merged this PR |
This approach lets you use secrets for running in production. For an environment variable that should be secret, instead of directly entering its value into config, replace it with
secret:/path/to/the/secret. This little init script will scan the container environment for variables that follow that pattern, read the contents of that file, and replace the variable's value with the file's contents.There will be an analagous pull on isle-dc to demonstrate how to use secrets in the docker-compose file. I'm trying to work this in such that if integrating with other things like etcd, vault or aws's secrets solution, that this won't get in the way. It's specifically for the env backend of confd and if you don't pattern your variables this way, nothing will change.