Docker secrets support.

[Nols1000]

Description

I recently wanted to update our infrastructure and looked into Manage sensitive data with Docker secrets. I couldn't find any documentation on this subject for Portus so I assume it is not supported yet. Then I found this pull-request openSUSE/docker-containers#74 and I dont get why this isn't merged yet. It would be nice if you could help me with information about how to use Docker secrets with Portus or with an explaination why it's not supported yet.

[Vad1mo]

You can use secrets right now with Portus. All You need are a few lines in your compose.

Example, for config.yml same goes for other files. The PR openSUSE/docker-containers#74 simplifies it a bit. IMHO its not the right approach. Also it only works with Portus 2.2 not with 2.3

version: "3.1"
services:
  portus:
    image: portus
    secrets:
      - source: config
        target: app/config/config.yml
secrets:
  config:
    file: /user/home/me/code/Portus/config/config.yml

This assumes your application in the container is in /app/config/config.yml and your local conf file is in /user/home/me/code/Portus/config/config.yml

[Nols1000]

Yes this would be possible but this requires to use a config-file. I dont use one right now as I want to keep it simple and configure everthing in one location (docker-compose file). I could get it wrong but setup would require me to copy /user/home/me/code/Portus/config/config.yml to all nodes of my swarm wouldn't it?
I would prefer a method to use environment variables. And it would be nice to update the documentation with information on this and update the examples.

[Vad1mo]

In this example two things happen 1. config.yml is uploaded to docker 2. portus is told where to look for the file. You can separate the steps and have a compose that just does the lookup.(step 2.)

Env vars and config-file/secrets contradict each other. You should (easiest way if) either use ENV vars or config/secret files. So if you prefer ENV vars why do you bother about config/secrets.

[Nols1000]

To 1.: Thanks for pointing that out for me I had recently problems with volume mounting in swarm mode and assumed it would be the same issue for secrets.
To 2.: In the offical Docker documentation (Use Secrets in Compose) it suggests to mix ENV vars and secrets. Also seperate secrets would have the advantage that they could be updated sepratly (Rotate a secret).

[potzkovge]

I am also missing an option to use Environment variables and secrets. The usual convention is to add a _FILE to the environment variable and a file path in the container. The relevant code would be in an initial script:

#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
  local var="$1"
  local fileVar="${var}_FILE"
  local def="${2:-}"
  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
	echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
	exit 1
  fi
  local val="$def"
  if [ "${!var:-}" ]; then
	val="${!var}"
  elif [ "${!fileVar:-}" ]; then
	val="$(< "${!fileVar}")"
  fi
  export "$var"="$val"
  unset "$fileVar"
}

This implementation was taken from https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh but can be seen all over official repositories supporting this convention.

[mssola]

@Nols1000 @potzkovge thanks for this!

I am used to how Kubernetes manages secrets (you can rotate them and all, and then set them for all pods as environment variables), but that's no excuse for not providing proper secrets support for other orchestrators (and including docker-compose).

@potzkovge's idea looks truly great 👏

[mssola]

@Nols1000 @potzkovge I've merged openSUSE/docker-containers#100, which adds support for this. It will work as @potzkovge proposed for PORTUS_SECRET_KET_BASE, PORTUS_PASSWORD and PORTUS_DB_PASSWORD. Meanwhile images are getting built 👍

[mssola]

Added the documentation label to remind myself to update http://port.us.org with this.

[potzkovge]

@mssola you forgot to add support for PORTUS_LDAP_AUTHENTICATION_PASSWORD PORTUS_EMAIL_SMTP_PASSWORD i would have prepared a PR here openSUSE/docker-containers#99 but i guess you forgot to check. Please add support for those too.

[mssola]

@potzkovge done, thanks 👍

[potzkovge]

@mssola thank you for the fast development i've tested the newest 2.3 tag and it works as expected! I'll close my PR.

[mssola]

Documentation added. Closing...