Passing the OAuth settings as environment variables has the disadvantage that this sensible information must be specified e.g. in docker-compose.yml. This file is typically checked into Github, which is discouraged when a file contains sensible information.
docker-compose offers as a better alternative secrets. While the full power of secrets requires docker to run in swarm mode, secrets are useful even without swarm mode. As an example, see hk-influxdb.py and docker-compose.yml in housekeeping: In the docker-compose file the secret influxdb_token_write_housekeeping is defined:
secrets:
...
influxdb_token_write_housekeeping:
file: ./secrets/influxdb_token_write_housekeeping.txt
...
The file ./secrets/influxdb_token_write_housekeeping.txt contains a single line with the (secret) token and is protected against uplaod to github by a .gitignore file.
Still in docker-compose.yml, the secret is attached to the service hk-influxdb:
hk-influxdb:
...
secrets:
- influxdb_token_write_housekeeping
environment:
- INFLUXDB_TOKEN_FILE=/run/secrets/influxdb_token_write_housekeeping
At runtime, the file ./secrets/influxdb_token_write_housekeeping.txt is available in the container as /run/secrets/influxdb_token_write_housekeeping. This filename is constructed from the name of the secret and passed into the container as environment variable INFLUXDB_TOKEN_FILE.
In the container, the secret is used inhk-influxdb.py as follows:
INFLUXDB_TOKEN = os.getenv("INFLUXDB_TOKEN")
if INFLUXDB_TOKEN is None:
INFLUXDB_TOKEN_FILE = os.getenv("INFLUXDB_TOKEN_FILE")
with open(INFLUXDB_TOKEN_FILE) as pwfile:
for line in pwfile:
INFLUXDB_TOKEN = line.strip()
This allows INFLUXDB_TOKEN to be passed into the container as normal environment variable (discouraged, see above). If the environment variable is not set, the token is read from INFLUXDB_TOKEN_FILE which contains the content of the protected file ./secrets/influxdb_token_write_housekeeping.txt.
I suggest to implement such a behaviour for the sensible parts of the OAuth settings in authn-proxy as well.
Passing the OAuth settings as environment variables has the disadvantage that this sensible information must be specified e.g. in
docker-compose.yml. This file is typically checked into Github, which is discouraged when a file contains sensible information.docker-compose offers as a better alternative secrets. While the full power of secrets requires docker to run in swarm mode, secrets are useful even without swarm mode. As an example, see hk-influxdb.py and docker-compose.yml in housekeeping: In the docker-compose file the secret
influxdb_token_write_housekeepingis defined:The file
./secrets/influxdb_token_write_housekeeping.txtcontains a single line with the (secret) token and is protected against uplaod to github by a.gitignorefile.Still in
docker-compose.yml, the secret is attached to the servicehk-influxdb:At runtime, the file
./secrets/influxdb_token_write_housekeeping.txtis available in the container as/run/secrets/influxdb_token_write_housekeeping. This filename is constructed from the name of the secret and passed into the container as environment variableINFLUXDB_TOKEN_FILE.In the container, the secret is used in
hk-influxdb.pyas follows:This allows
INFLUXDB_TOKENto be passed into the container as normal environment variable (discouraged, see above). If the environment variable is not set, the token is read fromINFLUXDB_TOKEN_FILEwhich contains the content of the protected file./secrets/influxdb_token_write_housekeeping.txt.I suggest to implement such a behaviour for the sensible parts of the OAuth settings in authn-proxy as well.