Skip to content

Add inline content support for secrets #573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Add inline content support for secrets #573

wants to merge 2 commits into from

Conversation

yp05327
Copy link

@yp05327 yp05327 commented Feb 14, 2024
edited
Loading

In #478, inlined content for config was supported.
secrets and configs are using the same struct FileObjectConfig, so it can be easily implemented.

When I want to manage all secrets in one compose file, I noticed that I need to manage both compose files and the secrets files, as secrets only support reading from a file or environment variables.

@yp05327 yp05327 requested a review from ndeloof as a code owner February 14, 2024 03:02
@yp05327
add inline content for secrets
d238779 
Signed-off-by: yp05327 <576951401@qq.com>
@yp05327 yp05327 force-pushed the add-inline-content-for-secrets branch from ea1f490 to d238779 Compare February 14, 2024 05:55
@ndeloof
Copy link
Collaborator

ndeloof commented Feb 14, 2024

The reason inlined content was introduced for configs and not for secrets is that in most scenario, a secret is local or dynamically generated and should not be committed with the main compose file. Also to be considered security risks for users misusing such a feature and actually pushing to github some real secrets (yes, this happens, and at large scale)
Other than such considerations, I don't see any blocker here

@yp05327
Copy link
Author

yp05327 commented Feb 15, 2024

I understand the security considerations. It depends on the user's knowledge. But warnings can be added in docs.
Actually, there's no warnings about it in docs now. So still some users are pushing secrets without recognition.
In another way, for users who know how to use this feature correctly, they have more choices and can do more things.
I'm doing some works on docker compose based 'helm chart' which uses go template to generate docker compose files.
But I notice that users can only create a secret file first, then link it in docker compose.
In k8s, they provide such feature, and have security warnings about using secrets in docs.
So if this feature can be supported, it will be awesome.

@ndeloof
Copy link
Collaborator

ndeloof commented Jul 1, 2024

This feature would be useful as a workaround for docker/compose#11941

@yp05327
Copy link
Author

yp05327 commented Jul 1, 2024

As this pr is created 5 month ago, I updated the branch and let's check the CI's result again.

@ndeloof ndeloof requested review from glours and jhrotko July 1, 2024 10:39
@ndeloof
Copy link
Collaborator

ndeloof commented Jul 3, 2024

After debating this with the team, we don't want to risk users would start using plain text secrets in their config file, even well documented. So I'm closing this PR

@ndeloof ndeloof closed this Jul 3, 2024
@jvitor83
Copy link

@ndeloof this should be supported at least for config.
The secret use of content can still be blocked, but the config is a real and authentic way of use.
I think this can be reopened and changed to support at least for the config.

@ndeloof
Copy link
Collaborator

ndeloof commented Oct 29, 2024

config already has support for inlined content

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndeloof ndeloof ndeloof approved these changes

@glours glours Awaiting requested review from glours

@jhrotko jhrotko Awaiting requested review from jhrotko

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yp05327 @ndeloof @jvitor83