influxdata-docker icon indicating copy to clipboard operation
influxdata-docker copied to clipboard
verified publisher icon influxdata

Use Docker Secrets for Credentials

Open DransfeldSK opened this issue 6 years ago • 10 comments

Please add an option to read the admin and user passwords from a file.

Using a file's contents allows for integration with Docker Secret Store, which enables deterministic credentials for administration purposes instead of a random password generated at container init, or worse, plaintext passwords within Docker Stack definitions.

Common convention is to use separate ENV variables suffixed with _FILE to define the path of files containing the information otherwise passed as plain text ENV variables.

https://github.com/influxdata/influxdata-docker/blob/56529df4a46eaac4a83c87d9f36f3ba328b4676a/influxdb/1.7/init-influxdb.sh#L21

DransfeldSK avatar May 27 '19 11:05 DransfeldSK

@Influxdata Any news on this topic?

Maybe this from MariaDB is useful:

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		mysql_error "Both $var and $fileVar are set (but are exclusive)"
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}

https://github.com/MariaDB/mariadb-docker/blob/d7ffe9456c0ac967edca9515a377b08c5bc58309/docker-entrypoint.sh#L21-L40

rafi0101 avatar Dec 29 '21 11:12 rafi0101

I would also like to know if there are any plans to implement this in the future.

Did anybody got this working with the snipped linked by @rafi0101 ?

r3dpan avatar Feb 18 '22 23:02 r3dpan

@maxi017 I was able to with some trial and error. I used this article for reference. Make sure the docker-entrypoint.sh file is executable and add any other variables you want to be able to use as a secret.

docker-entrypoint.sh

#!/bin/bash

set -e

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
		exit 1
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}

file_env 'DOCKER_INFLUXDB_INIT_PASSWORD'
file_env 'DOCKER_INFLUXDB_INIT_ADMIN_TOKEN'

exec "$@"

excerpt of docker compose

influxdb:
    image: influxdb:2.1.1
    entrypoint: /docker-entrypoint.sh /entrypoint.sh
    environment:
      DOCKER_INFLUXDB_INIT_MODE: setup
      DOCKER_INFLUXDB_INIT_USERNAME: admin
      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/INFLUXDB_INIT_PASSWORD
      DOCKER_INFLUXDB_INIT_ORG: home
      DOCKER_INFLUXDB_INIT_BUCKET: telegraf
      DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE: /run/secrets/INFLUXDB_INIT_ADMIN_TOKEN
    secrets:
      - INFLUXDB_INIT_PASSWORD
      - INFLUXDB_INIT_ADMIN_TOKEN
    volumes:
      - ./docker-entrypoint.sh:/docker-entrypoint.sh
    networks:
      - influxdb
    ports:
      - 8086:8086

EnochPrime avatar Mar 03 '22 22:03 EnochPrime

Any plan to support this natively? Having to override the entrypoint is not always possible :(

Thanks!

lcardito avatar Mar 10 '22 09:03 lcardito

Another workaround is to add the following key in your InfluxDB service:

entrypoint: sh -c "export DOCKER_INFLUXDB_INIT_USERNAME=`cat /var/run/secrets/username`; export DOCKER_INFLUXDB_INIT_PASSWORD=`cat /var/run/secrets/password`; /entrypoint.sh"

But that still depends on knowledge of internal InfluxDB implementation (naming and location of /entrypoint.sh file). Support for secret file env var as proposed in current issue would be neater.

Thierry61 avatar May 28 '22 10:05 Thierry61

I would like this feature as well to further harden my containers.

Rick-van-Dam avatar Oct 09 '22 17:10 Rick-van-Dam

This (seems) to be fixed for DOCKER_INFLUXDB_INIT_USERNAME and DOCKER_INFLUXDB_INIT_PASSWORD, having *_FILE versions to support secrets, in the entrypoint.sh could we get a similar thing for DOCKER_INFLUXDB_INIT_ADMIN_TOKEN as well? currently using entrypoint: bash -c 'export repl="if [ -n \"\$${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}\" ]; then [ -e \"\$${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}\" ] && DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=\$$(cat \"\$${DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE}\") || echo \"DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE defined, but file not existing, skipping.\"; fi" ; sed -i -e "/DOCKER_INFLUXDB_INIT_USERNAME_FILE/a $$repl" /entrypoint.sh; /entrypoint.sh'

mxmeeple avatar Feb 15 '23 03:02 mxmeeple

Started PR for this: #670

mxmeeple avatar Feb 22 '23 17:02 mxmeeple

This seems to have been fixed in #627.

jaylinski avatar May 20 '23 19:05 jaylinski