Usage of docker secret CF_API_EMAIL_FILE

[jo-me]

hi, in your docker-config for traefik service, you added secrets for cloudflare

    environment:
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
    secrets:
      - cloudflare_email
      - cloudflare_api_key

However, in the command section the env variable is still used: https://github.com/htpcBeginner/docker-traefik/blob/2df69449e5e4ba504b09a6523a372f79fb65f266/docker-compose-t2.yml#L115

Can this be changed to CF_API_EMAIL_FILE or is the env variable not available when the command is executed?

[ptoulouse]

They are in fact two different things. The cloudflare_email secret is the user account used to connect to cloudflare (which happens to be an email address). The CF_API_EMAIL_FILE and CF_API_KEY_FILE are required by the LEGGO lybrary used by Traefik. The acme.email on the other end is the email traefik will pass to Let's Encrypt so they can notify you when the certificate expires. They don't have to be the same, so that is why Traefik is not reusing the environment variable.

For my part, I switched from CF_API_EMAIL_FILE and CF_API_KEY_FILE which basically allow any operations on the cloudflare account, to CF_DNS_API_TOKEN_FILE which is using a scoped API token (same as cloudflare-ddns and cloudflare-companion) which limits the operations allowed.

[boywiz]

Also if you try and use the secret in the command line as mentioned by @ptoulouse, it will appear as empty i have found when trying to move that to a secret.

This can cause you some headaches.