Add support for docker secrets

[Zerwin]

Issue

Docker secrets aren't supported for Passwords.

Solution

It can be done similar as Postgres does it. Postgres allows 2 enviroment variables for reading password, POSTGRES_PASSWORD and POSTGRES_PASSWORD_FILE .

The _FILE makes it so postgres reads the password from a file rather than taking the literal string. This allows docker secrets which are usually mounted in /run/secrets/example inside the container to be read and used for authentication to the database.

Docker-Taiga could also introduce a enviroment variable named TAIGA_DB_PASSWORD_FILE which then reads the password from a file.

Notes

I can gladly provide how my docker-compose looks to show an example of secret use (or how I would use it)

[blackandred]

Please if you could create a PR or at least give some examples 😉
Thanks!

[Zerwin]

version: "3.7"

services:
  taiga:
    image: quay.io/riotkit/taiga:5.0.10
    volumes: 
      - $(pwd)/media:/usr/src/taiga-back/media
    ports: 
      - 80:80
    environment:
      - TAIGA_HOSTNAME=taiga.localhost
      - TAIGA_DB_HOST=postgres
      - TAIGA_DB_NAME=taigadb
      - TAIGA_DB_USER=postgres
      - TAIGA_DB_PASSWORD_FILE=/run/secrets/taiga_password
    secrets:
      - taiga_password

secrets:
  taiga_password:
    external: true

This is how it could look. The important part are TAIGA_DB_PASSWORD_FILE and the secret blocks at the bottom.

In this case I created the secret taiga_password in my swarm and then said I want this external secret used for this services (therefore external: true) and mentioned it in the service itself so docker knows this service explicitly uses it.

Docker then mounts the secret at /run/secrets/taiga_password . If Taiga now could have a variable to read from a file rather than take the literal input, the secret would be used without it's content ever being mentioned in the yaml.

An example (not sure if it can be applied here though) from mariadb: https://github.com/docker-library/mariadb/blob/master/10.3/docker-entrypoint.sh#L21-L41

Edit: Also I am no great coder, so me doing a PR could end in disaster 😣

[blackandred]

Please correct me if I interpret it wrong: You need to read files in /run/secrets and make environment variables from them. Those files are mounted by docker engine like volumes.

[blackandred]

First closest date when I can try to implement this is Saturday, 18.04.2020

[Zerwin]

It doesn't have to be limited to /run/secrets but that is the default behaviour of where docker mounts secrets if not otherwise specified. But otherwise correct.

Thanks for your work. 👍

[blackandred]

#37

I tried to do something basing on the existing repositories, requires testing - I will test it and merge.

[blackandred]

Already merged, closing.