-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for docker secrets #35
Comments
Please if you could create a PR or at least give some examples 😉 |
This is how it could look. The important part are In this case I created the secret taiga_password in my swarm and then said I want this external secret used for this services (therefore external: true) and mentioned it in the service itself so docker knows this service explicitly uses it. Docker then mounts the secret at /run/secrets/taiga_password . If Taiga now could have a variable to read from a file rather than take the literal input, the secret would be used without it's content ever being mentioned in the yaml. An example (not sure if it can be applied here though) from mariadb: https://github.com/docker-library/mariadb/blob/master/10.3/docker-entrypoint.sh#L21-L41 Edit: Also I am no great coder, so me doing a PR could end in disaster 😣 |
Please correct me if I interpret it wrong: You need to read files in /run/secrets and make environment variables from them. Those files are mounted by docker engine like volumes. |
First closest date when I can try to implement this is Saturday, 18.04.2020 |
It doesn't have to be limited to /run/secrets but that is the default behaviour of where docker mounts secrets if not otherwise specified. But otherwise correct. Thanks for your work. 👍 |
I tried to do something basing on the existing repositories, requires testing - I will test it and merge. |
Already merged, closing. |
Issue
Docker secrets aren't supported for Passwords.
Solution
It can be done similar as Postgres does it. Postgres allows 2 enviroment variables for reading password,
POSTGRES_PASSWORD
andPOSTGRES_PASSWORD_FILE
.The _FILE makes it so postgres reads the password from a file rather than taking the literal string. This allows docker secrets which are usually mounted in
/run/secrets/example
inside the container to be read and used for authentication to the database.Docker-Taiga could also introduce a enviroment variable named
TAIGA_DB_PASSWORD_FILE
which then reads the password from a file.Notes
I can gladly provide how my docker-compose looks to show an example of secret use (or how I would use it)
The text was updated successfully, but these errors were encountered: