pihole-exporter icon indicating copy to clipboard operation
pihole-exporter copied to clipboard

Published 20 hours ago verified publisher icon eko

request: support use of docker secret for pihole password

Open jeremyhayes opened this issue 3 years ago • 2 comments

Feature request to support reading pihole password and/or api key from docker secrets.

  • https://docs.docker.com/engine/swarm/secrets/#build-support-for-docker-secrets-into-your-images

The "standard" way would be to support a PIHOLE_PASSWORD_FILE env var, and read the file contents into the configuration, falling back to the existing variable.

For reference, here is the PR which added this support to pihole itself:

  • https://github.com/pi-hole/docker-pi-hole/pull/584

Steps for Reproduction

  1. Setup the following docker-compose
version: '3.8'

services:

  pihole:
    image: pihole/pihole:v5.8.1
    environment:
      # pihole supports reading password from a mounted secret
      - WEBPASSWORD_FILE=/run/secrets/pihole-password
    secrets:
      - pihole-password
    # other pihole configuration, ports etc

  pihole-exporter:
    image: ekofr/pihole-exporter:v0.0.11
    environment:
      - PIHOLE_HOSTNAME=pihole
      - PIHOLE_PASSWORD_FILE=/run/secrets/pihole-password
    secrets:
      - pihole-password

secrets:
  pihole-password:
    external: true
  1. Create the docker secret
$ echo "hunter2" | docker secret create pihole-password
  1. Deploy the stack
$ docker stack deploy -c docker-compose.yml test

Expected behavior: pihole-exporter would read the contents of /run/secrets/pihole-password as the password

Actual behavior: PIHOLE_PASSWORD_FILE is ignored; exporter returns only the "unauthenticated" metrics.

Platforms: Docker swarm cluster.

Versions: ekofr/pihole-exporter:v0.0.11

jeremyhayes avatar Aug 15 '21 21:08 jeremyhayes

would love to see this implemented!

moritzj29 avatar Oct 02 '22 18:10 moritzj29

Thanks to you @jeremyhayes and to https://github.com/pi-hole/docker-pi-hole/pull/584 it was easy to find a quick workaround to this:

FROM ekofr/pihole-exporter:v0.4.0 as source

FROM alpine:3.17

RUN apk update --no-cache && apk add bash

COPY --from=source /root/pihole-exporter /root/pihole-exporter
COPY start.sh /root/start.sh

CMD /root/start.sh

#!/bin/bash

# See: https://github.com/pi-hole/docker-pi-hole/pull/584
load_password_secret() {
   # If PIHOLE_PASSWORD is not set at all, attempt to read password from PIHOLE_PASSWORD_FILE,
   # allowing secrets to be passed via docker secrets
   if [ -z "${PIHOLE_PASSWORD+x}" ] && [ -n "${PIHOLE_PASSWORD_FILE}" ] && [ -r "${PIHOLE_PASSWORD_FILE}" ]; then
     export PIHOLE_PASSWORD=$(<"${PIHOLE_PASSWORD_FILE}")
   fi;
}

load_password_secret

exec /root/pihole-exporter

lebenitza avatar Mar 19 '23 17:03 lebenitza