mapcache icon indicating copy to clipboard operation
mapcache copied to clipboard

Published 20 hours ago verified publisher icon MapServer

[Feature] Ability to inject secrets into XML config file at startup using Environment variables

Open ashleysommer opened this issue 2 years ago • 1 comments

When configuring username and password for postgres db, it would be great to not have to hardcode the values into the config file.

When using containerisation runtimes like docker-compose or kubernetes, it is common to have and required secrets made available as environment variables supplied into the container at runtime.

In short, instead of this:

<dimension type="postgresql" name="time" default="d1" time="true">
  <connection>
    host=my.postgres.host.org user=mapcache password=xxchangemexx dbname=index port=5433
  </connection>
  <list_query>SELECT ts FROM timedim</list_query>
  <validate_query>
       SELECT to_char(ts,'YYYY-MM-DD"T"HH24:MI:SS"Z"') FROM timedim
        WHERE ts &gt;= to_timestamp(:start_timestamp)
          AND ts &lt;= to_timestamp(:end_timestamp)
     ORDER BY ts DESC
  </validate_query>
</dimension>

I want to do this:

<dimension type="postgresql" name="time" default="d1" time="true">
  <connection>
    host=my.postgres.host.org user=${DB_USERNAME} password=${DB_PASSWORD} dbname=index port=5433
  </connection>
  <list_query>SELECT ts FROM timedim</list_query>
  <validate_query>
       SELECT to_char(ts,'YYYY-MM-DD"T"HH24:MI:SS"Z"') FROM timedim
        WHERE ts &gt;= to_timestamp(:start_timestamp)
          AND ts &lt;= to_timestamp(:end_timestamp)
     ORDER BY ts DESC
  </validate_query>
</dimension>

Similar question on stackoverflow: https://gis.stackexchange.com/questions/418360/referencing-environment-variables-in-mapcache-xml

Kind of related to #273

ashleysommer avatar Apr 27 '22 02:04 ashleysommer

As this functionality is not yet in Mapcache, we are solving following situation with replacing the template values with env values via a configure script, which runs before mapcache is run. Of course the generated mapcache.xml will still have the credentials shown in plain text at runtime.

cat mapcache-template.xml \
    | sed -e "s/{{DB_USER}}/$(echo ${DB_USER} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
    | sed -e "s/{{DB_PW}}/$(echo ${DB_PW} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
    | sed -e "s/{{DB_HOST}}/$(echo ${DB_HOST} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
    | sed -e "s/{{DB_PORT}}/$(echo ${DB_PORT} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
    | sed -e "s/{{DB_NAME}}/$(echo ${DB_NAME} | sed -e 's/[]\/$*.^[]/\\&/g')/g" > mapcache.xml

lubojr avatar Aug 04 '22 13:08 lubojr