New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: pass cacert and tls-client-cert content as environment variables #1926
Comments
As a relatively convenient work-around it should be possible to use process substitution like this: |
It is not secure to pass credentials as parameters on command line because other processes/users can see them on the process list (ps). |
With the process substitution restic get's a file name like |
The other problem with process substitution is that it is not part of POSIX shell, so only works in bash (and possibly zsh etc.). |
In my use-case, I run restic in a Kubernetes cluster and also provide a deployment that offers a kind of restic shell for convenient interactive restores. Here, it would be helpful to accept the CA certificate as an environment variable so the user does not have to manually pass |
hi @MichaelEischer |
@root-ali Sure, go ahead. |
@root-ali Are you still working on this? To be clear, the environment variable should contain the contents of the certificate rather than the file, correct? I noticed that the --cacert flag takes multiple certificate files. In the case of multiple certificates, how should the env variable store and separate the contents of multiple certs? |
Hmm, my search for other software that reads the certificate directly from an environment variable barely provided any results. So I'm wondering whether it's a good idea to support passing the content of these files via an environment variable. Just passing the filename via an environment variable would be the much easier option and should also address some of the use cases. I think it would be enough to at least solve the use case of @stephan2012 .
It's possible to concatenate multiple certificates into a single file. The certificate parsing currently uses |
I've implemented this feature and I have created a pull request. However this is my first time contributing to open source, so I am unsure about how and where to implement test cases for my changes. I am also unsure about the most appropriate location to update the docs. I added just two lines of code that will read two environment variables during initialization. |
Output of
restic version
restic 0.9.0 compiled with go1.10.2 on linux/amd64
restic 0.9.0 compiled with go1.10.2 on freebsd/amd64
What should restic do differently? Which functionality do you think we should add?
Instead of
--cacert
and--tls-client-cert
it should be possible to pass the certificate content (not the filenames) as environment variables.What are you trying to do?
I want to write a bash script to run restic connecting to rclone that contains all credentials needed to connect. Right now I am creating temporary files with the certs. That is a bit ugly.
Did restic help you or made you happy in any way?
I love restic (and rclone). I was very happy when I found it. Just a single working binary. No python dependencies. The feature set is awesome 👍
The text was updated successfully, but these errors were encountered: