How to handle secret injection

[Pascal-Orthopy]

Hi all,

we are running Nhost v2 in a self-hosted Kubernetes cluster and using a vault that can only inject secrets (S3_ACCESS_KEY, S3_SECRET_KEY, ...) as a file. With all other services (hasura, hasura-auth) it was easy because we can override the entrypoint and run the injected file as a script and then run the origin command (example: /bin/sh /secrets/env pnpm run start).

But with Hasura-Storage we have some problems. Is there any way to inject Secrets (it's only one volume) and use this injected file as a script before starting the Hasura storage server?

We also saw that there is a "-config" flag, but I can't find any more information about the this flag.
Maybe this could be the way to inject a config file with all secrets?

Additional Information

• https://www.vaultproject.io/docs/platform/k8s/injector

[Pascal-Orthopy]

After some research, it should be possible to set up a .env file as config file that is read by viper.

https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L48

But how is this done? I mounted a volume and tried to set it as config file:

docker run -v "/Users/ph/Documents/project/secrets:/secrets" --rm -i -t nhost/hasura-storage:0.2.4 serve --debug --config "/secrets/.env"

But in the output it shows that is has not reached the correct condition:

The condition always ends up in this block
https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L51

What is needed to set this part?
https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L46

Sorry, but I am not familiar with go-lang :/

Additional Information:

• A Blog Article that shows that it is possible to load .env files as config

[dbarrosop]

Hello,
looks like we weren't reading configuration files properly #111 should fix it. You can build a docker image with make build-docker-image (takes a while as it needs to build libvips).

With that fixed you can just pass a configuration file with whatever contents you want, just match the keys with the flag names. For instance:

# hasura-storage.yaml

---
s3-access-key: asdasdas
s3-secret-key: qweqweqw
s3-bucket: my-bucket

And then start the container as you were attempting:

docker run \
    -v "/path/to/secret/:/config" \
    --rm -it \
    $IMAGE \
        serve --config=/config/hasura-storage.yaml --debug

[Pascal-Orthopy]

Hello, thanks for the reply and the solution. Until you release the new version, I will build and test the image myself, just as you described.

[dbarrosop]

Let me know if it works, if it does I will release right away.

[Pascal-Orthopy]

@dbarrosop Seems to work, the configuration is used correctly.
I could only test it locally and there I have only a light setup.
Don't worry, the secrets in the screenshots are the same from this file, I just used it for the test:

[MaxSchilling]

Hi @dbarrosop @elitan , any chance we might have a fresh release soon? :) Happy to provide instant feedback if it also works in our dev system then.

Many thanks!

[dbarrosop]

I am trying to release but Github Actions seems to be misbehaving and isn't running the release workflow. I will update here when I managed to get it running.

[dbarrosop]

Ok, new version has been released; docker.io/nhost/hasura-storage:0.2.5.

Let me know how it goes.

[Pascal-Orthopy]

@dbarrosop Thanks, works and runs now in our system, I close this solved Issue.