Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets? #392

Open
STaRDoGG opened this issue Feb 17, 2021 · 4 comments
Open

Secrets? #392

STaRDoGG opened this issue Feb 17, 2021 · 4 comments
Labels
question Further information is requested

Comments

@STaRDoGG
Copy link

Does Gotify support docker secrets? In particular for the GOTIFY_DEFAULTUSER_PASS variable? I've looked at the docs but see no reference. if not, can it be added?
@STaRDoGG STaRDoGG added the question Further information is requested label Feb 17, 2021
@jmattheis
Copy link
Member

No this is probably not supported currently, but you can easily change the password after the container is started.

@STaRDoGG
Copy link
Author

Here's an example of how to add it in, if you're interested: https://github.com/wallabag/docker/pull/248/files

@dimo414 dimo414 mentioned this issue Jan 24, 2022
Merged
@SweBarre
Copy link

I might have misunderstood the use case, if so I apologize in advance.
But in kubernetes you can set environment variables to be loaded from secrets and surely docker can do the same (I assumed).
Found this: https://docs.docker.com/engine/swarm/secrets/#advanced-example-use-secrets-with-a-wordpress-service
It explains how to set environment variables using docker secrets.

@ColinHebert
Copy link

ColinHebert commented Dec 26, 2022
edited

For now I'm using this hack:

name: Notifications

services:
  gotify:
    image: gotify/server
    # Hack to get around the lack of secret support in Gotify
    entrypoint: ['/bin/sh', '-c', 'GOTIFY_DEFAULTUSER_PASS=$(cat /run/secrets/admin_password) ./gotify-app']
    secrets:
      - admin_password

secrets:
  admin_password:
    file: ./secrets/admin_password

It is not clean at all, but it works.

@jmattheis I reckon it could be a nice addition to configor; having a way to indicate that a configuration field can be either burnt in or specified through a filepath.
A flag on the parameter that allows the config file (or env variables) to specify PREFIX_CATEGORY_FIELD-FILE=/blah or

category:
  field-file: /blah

If the field-file is specified, override the content of field with the content of the indicated file.
This way some variables (secret ones) can be filled in through the docker secret system (which uses files)

@SweBarre FWIW, in the example you gave, the reason MYSQL_ROOT_PASSWORD_FILE, etc. work is because the entrypoint of the mysql docker image (entrypoint.sh) has a file_env function:

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		mysql_error "Both $var and $fileVar are set (but are exclusive)"
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}

Which does what @STaRDoGG suggested; the problem is gotify doesn't have an entrypoint file, it's all in golang, so two options are available

  • Create an entrypoint shell script which will load the env variables
  • Allow the native application to understand that some entries are provided as files rather than direct env variables (or config entries)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ColinHebert @SweBarre @STaRDoGG @jmattheis