server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon gotify

Secrets?

Open STaRDoGG opened this issue 5 years ago • 5 comments

Does Gotify support docker secrets? In particular for the GOTIFY_DEFAULTUSER_PASS variable? I've looked at the docs but see no reference. if not, can it be added?

STaRDoGG avatar Feb 17 '21 01:02 STaRDoGG

No this is probably not supported currently, but you can easily change the password after the container is started.

jmattheis avatar Feb 17 '21 17:02 jmattheis

Here's an example of how to add it in, if you're interested: https://github.com/wallabag/docker/pull/248/files

STaRDoGG avatar Feb 18 '21 22:02 STaRDoGG

I might have misunderstood the use case, if so I apologize in advance. But in kubernetes you can set environment variables to be loaded from secrets and surely docker can do the same (I assumed). Found this: https://docs.docker.com/engine/swarm/secrets/#advanced-example-use-secrets-with-a-wordpress-service It explains how to set environment variables using docker secrets.

SweBarre avatar Jul 14 '22 19:07 SweBarre

For now I'm using this hack:

name: Notifications

services:
  gotify:
    image: gotify/server
    # Hack to get around the lack of secret support in Gotify
    entrypoint: ['/bin/sh', '-c', 'GOTIFY_DEFAULTUSER_PASS=$(cat /run/secrets/admin_password) ./gotify-app']
    secrets:
      - admin_password

secrets:
  admin_password:
    file: ./secrets/admin_password

It is not clean at all, but it works.

@jmattheis I reckon it could be a nice addition to configor; having a way to indicate that a configuration field can be either burnt in or specified through a filepath. A flag on the parameter that allows the config file (or env variables) to specify PREFIX_CATEGORY_FIELD-FILE=/blah or

category:
  field-file: /blah

If the field-file is specified, override the content of field with the content of the indicated file. This way some variables (secret ones) can be filled in through the docker secret system (which uses files)

@SweBarre FWIW, in the example you gave, the reason MYSQL_ROOT_PASSWORD_FILE, etc. work is because the entrypoint of the mysql docker image (entrypoint.sh) has a file_env function:

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		mysql_error "Both $var and $fileVar are set (but are exclusive)"
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}

Which does what @STaRDoGG suggested; the problem is gotify doesn't have an entrypoint file, it's all in golang, so two options are available

  • Create an entrypoint shell script which will load the env variables
  • Allow the native application to understand that some entries are provided as files rather than direct env variables (or config entries)

ColinHebert avatar Dec 26 '22 13:12 ColinHebert