You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Passing the OAuth settings as environment variables has the disadvantage that this sensible information must be specified e.g. in docker-compose.yml. This file is typically checked into Github, which is discouraged when a file contains sensible information.
docker-compose offers as a better alternative secrets. While the full power of secrets requires docker to run in swarm mode, secrets are useful even without swarm mode. As an example, see hk-influxdb.py and docker-compose.yml in housekeeping: In the docker-compose file the secret influxdb_token_write_housekeeping is defined:
The file ./secrets/influxdb_token_write_housekeeping.txt contains a single line with the (secret) token and is protected against uplaod to github by a .gitignore file.
Still in docker-compose.yml, the secret is attached to the service hk-influxdb:
At runtime, the file ./secrets/influxdb_token_write_housekeeping.txt is available in the container as /run/secrets/influxdb_token_write_housekeeping. This filename is constructed from the name of the secret and passed into the container as environment variable INFLUXDB_TOKEN_FILE.
In the container, the secret is used inhk-influxdb.py as follows:
INFLUXDB_TOKEN = os.getenv("INFLUXDB_TOKEN")
if INFLUXDB_TOKEN is None:
INFLUXDB_TOKEN_FILE = os.getenv("INFLUXDB_TOKEN_FILE")
with open(INFLUXDB_TOKEN_FILE) as pwfile:
for line in pwfile:
INFLUXDB_TOKEN = line.strip()
This allows INFLUXDB_TOKEN to be passed into the container as normal environment variable (discouraged, see above). If the environment variable is not set, the token is read from INFLUXDB_TOKEN_FILE which contains the content of the protected file ./secrets/influxdb_token_write_housekeeping.txt.
I suggest to implement such a behaviour for the sensible parts of the OAuth settings in authn-proxy as well.
The text was updated successfully, but these errors were encountered:
Passing the OAuth settings as environment variables has the disadvantage that this sensible information must be specified e.g. in
docker-compose.yml. This file is typically checked into Github, which is discouraged when a file contains sensible information.docker-compose offers as a better alternative secrets. While the full power of secrets requires docker to run in swarm mode, secrets are useful even without swarm mode. As an example, see hk-influxdb.py and docker-compose.yml in housekeeping: In the docker-compose file the secret
influxdb_token_write_housekeepingis defined:The file
./secrets/influxdb_token_write_housekeeping.txtcontains a single line with the (secret) token and is protected against uplaod to github by a.gitignorefile.Still in
docker-compose.yml, the secret is attached to the servicehk-influxdb:At runtime, the file
./secrets/influxdb_token_write_housekeeping.txtis available in the container as/run/secrets/influxdb_token_write_housekeeping. This filename is constructed from the name of the secret and passed into the container as environment variableINFLUXDB_TOKEN_FILE.In the container, the secret is used in
hk-influxdb.pyas follows:This allows
INFLUXDB_TOKENto be passed into the container as normal environment variable (discouraged, see above). If the environment variable is not set, the token is read fromINFLUXDB_TOKEN_FILEwhich contains the content of the protected file./secrets/influxdb_token_write_housekeeping.txt.I suggest to implement such a behaviour for the sensible parts of the OAuth settings in authn-proxy as well.
The text was updated successfully, but these errors were encountered: