manyfold icon indicating copy to clipboard operation
manyfold copied to clipboard
verified publisher icon manyfold3d

Native handling of docker secrets

Open EnsuingRequiem opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. The only "problem" is the plain-text storage of secrets.

Describe the solution you'd like A native implementation to pull sensitive information from Docker secrets. This can be done either in the existing docker-entrypoint.sh or some Ruby-specific method.

Describe alternatives you've considered Indirect parameter extension via a custom entrypoint.sh prior to the existing ENTRYPOINT and CMD entries in the Dockerfile. While this approach technically works, it created other unforeseen issues with flipper_gates table and/or validate_secret_key_base (as discovered and discussed in the Matrix chat)

Additional context Typically, Docker secrets are bind-mounted to a file on /run/secrets/<secret name> with the file being owned by the uid running the container. Approaches in other images typically involve allowing a user to set either the base environment variable (e.g., SECRET_KEY_BASE) or an environment variable pointing to the path to find the contents (e.g., SECRET_KEY_BASE_FILE)

EnsuingRequiem avatar May 30 '24 14:05 EnsuingRequiem

Thanks - I'll take a look into this!

Floppy avatar Jun 05 '24 09:06 Floppy