Skip to content

Add option to pass secrets as files #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bryopsida opened this issue Jun 2, 2024 · 4 comments · May be fixed by #276
Open

Add option to pass secrets as files #256

bryopsida opened this issue Jun 2, 2024 · 4 comments · May be fixed by #276

Comments

@bryopsida
Copy link

Expected Behavior

I'd like an option to pass secret values as files when appending _FILE after the current environment variable used for the value.

This behavior is consistent with other images such as MySQL, PostgreSQL (see the docker secrets section in the readme files for both).

Related to: apache/couchdb-helm#140

Current Behavior

Currently, the secret values can only be passed through environment variables which can be problematic when benchmark/scanner tools are used, see: https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/ or bind mounts.

Enabling the _FILE option would allow for a cleaner implementation in the chart and is consistent with other official docker image behavior.

Possible Solution

The docker entry point could be updated to use COUCHDB_ADMIN_USER_FILE, COUCHDB_SECRET_FILE etc environment variables which have the path to a file holding the actual secret value.
@MichaelBrunn3r
Copy link

MichaelBrunn3r commented Jun 6, 2024
edited
Loading

An alternative could be a URI-like format like authentik uses (https://docs.goauthentik.io/docs/installation/configuration#about-authentik-configurations).

services:
  couchdb:
    environment:
      # Original solution 
      COUCHDB_SECRET_FILE: /run/secrets/COUCHDB_SECRET
      # Solution like Authentik
      COUCHDB_SECRET: file:///run/secrets/COUCHDB_SECRET

I have seen your solution more often and it should be easier to implement, so I would prefer it. Just wanted to show a possible alternative.

@janl
Copy link
Member

janl commented Sep 28, 2024

I’d look at a PR for this, if you’d make one :)

@janl janl mentioned this issue Sep 28, 2024
Closed
@Axolord
Copy link

Axolord commented Dec 10, 2024

Why did #205 not get merged?

@bryopsida bryopsida linked a pull request Feb 2, 2025 that will close this issue
Draft
3 tasks
@bryopsida
Copy link
Author

I created a draft PR here: #276 and am curious if this approach would be acceptable before I go further with it. Also I'm currently hitting some issues testing it due to the image build process breaking on my m1 laptop but should be able to move over to a x86 box to wrap the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add ability to load secrets from files bryopsida/couchdb-docker
4 participants
@janl @bryopsida @MichaelBrunn3r @Axolord