Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add Docker Secrets support #275

Merged
merged 2 commits into from Oct 23, 2023
Merged

[Feature] Add Docker Secrets support #275

merged 2 commits into from Oct 23, 2023

Conversation

Psycho0verload
Copy link
Contributor

@Psycho0verload Psycho0verload commented Oct 22, 2023
edited

Implementation of Docker Secrets for BORG Environment Variables

Related to Ticket #47 and PR #246, a possible implementation of Docker Secrets is provided here. This implementation has been rigorously tested and documented. A key feature is that the use of standard environment variables within Docker commands or docker-compose.yml files is preserved. This ensures that those who do not wish to use Docker Secrets can continue to operate as before.

Functionality

The function iterates through all environment variables that begin with BORG, such as BORG_PASSPHRASE. It then looks for variables that end with _FILE. The contents of such a _FILE variable are written to a new variable, the name of which excludes the _FILE suffix.

Note

This implementation prioritizes Secrets over regularly set variables.

Debugging

@grantbevis for testing purposes, debugging capabilities have been added. To enable debugging, set the environment variable DEBUG_SECRETS=true.

Permissions

The script also works when the Docker-required chmod 600 permissions are set on the secret files.

Testing

Test 1

Environment:

    environment:
      - DEBUG_SECRETS=true
      - BORG_PASSPHRASE=OldSchoolEnvironment

Result:

borgmatic  | Before: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic  | Before: BORG_PASSPHRASE_FILE: 
borgmatic  | After: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic  | After: BORG_PASSPHRASE_FILE:

Test 2

Environment:

    environment:
      - DEBUG_SECRETS=true
      - BORG_PASSPHRASE_FILE=/run/secrets/borg_passphrase
    secrets:
      - borg_passphrase
secrets:
  borg_passphrase:
    file: ./borg_passphrase

Result:

borgmatic  | Before: BORG_PASSPHRASE: 
borgmatic  | Before: BORG_PASSPHRASE_FILE: /run/secrets/borg_passphrase
borgmatic  | Setting BORG_PASSPHRASE from the content of /run/secrets/borg_passphrase
borgmatic  | Unsetting BORG_PASSPHRASE_FILE
borgmatic  | After: BORG_PASSPHRASE: ThisIsFromTheSecretFile
borgmatic  | After: BORG_PASSPHRASE_FILE:

Test 3

Environment:

    environment:
      - DEBUG_SECRETS=true
      - BORG_PASSPHRASE=OldSchoolEnvironment
      - BORG_PASSPHRASE_FILE=
    secrets:
      - borg_passphrase
secrets:
  borg_passphrase:
    file: ./borg_passphrase

Result:

borgmatic  | Before: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic  | Before: BORG_PASSPHRASE_FILE: 
borgmatic  | Error: File  does not exist or is empty.
borgmatic  | After: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic  | After: BORG_PASSPHRASE_FILE:

Test 4

Environment:

    environment:
      - DEBUG_SECRETS=true
      - BORG_PASSPHRASE=
      - BORG_PASSPHRASE_FILE=/run/secrets/borg_passphrase
    secrets:
      - borg_passphrase
secrets:
  borg_passphrase:
    file: ./borg_passphrase

Result:

borgmatic  | Before: BORG_PASSPHRASE: 
borgmatic  | Before: BORG_PASSPHRASE_FILE: /run/secrets/borg_passphrase
borgmatic  | Setting BORG_PASSPHRASE from the content of /run/secrets/borg_passphrase
borgmatic  | Unsetting BORG_PASSPHRASE_FILE
borgmatic  | After: BORG_PASSPHRASE: ThisIsFromTheSecretFile
borgmatic  | After: BORG_PASSPHRASE_FILE:

Test 5

Environment:

    environment:
      - DEBUG_SECRETS=true
      - BORG_PASSPHRASE=
      - BORG_PASSPHRASE_FILE=/run/secrets/borg_passphrase
    secrets:
      - borg_passphrase
secrets:
  borg_passphrase:
    file: ./borg_passphrase

Result:

borgmatic  | Before: BORG_PASSPHRASE: OldSchoolEnvironment
borgmatic  | Before: BORG_PASSPHRASE_FILE: /run/secrets/borg_passphrase
borgmatic  | Note: BORG_PASSPHRASE was already set but is being overwritten by BORG_PASSPHRASE_FILE
borgmatic  | Setting BORG_PASSPHRASE from the content of /run/secrets/borg_passphrase
borgmatic  | Unsetting BORG_PASSPHRASE_FILE
borgmatic  | After: BORG_PASSPHRASE: ThisIsFromTheSecretFile
borgmatic  | After: BORG_PASSPHRASE_FILE:

grantbevis
grantbevis approved these changes Oct 23, 2023
View reviewed changes
Copy link
Collaborator

@grantbevis grantbevis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good thank you! I assume this is ready to merge? FYI @modem7

@modem7
Copy link
Member

modem7 commented Oct 23, 2023

@grantbevis LGTM

@grantbevis grantbevis merged commit 5e0fb39 into borgmatic-collective:master Oct 23, 2023
@Psycho0verload Psycho0verload mentioned this pull request Oct 24, 2023
Merged
@modem7 modem7 mentioned this pull request Feb 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grantbevis grantbevis grantbevis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Psycho0verload @modem7 @grantbevis