Add option to pass secrets as files

Question

Add option to pass secrets as files

bryopsida opened this issue 7 months ago · 2 comments

Expected Behavior

I'd like an option to pass secret values as files when appending _FILE after the current environment variable used for the value.

This behavior is consistent with other images such as MySQL, PostgreSQL (see the docker secrets section in the readme files for both).

Related to: apache/couchdb-helm#140

Current Behavior

Currently, the secret values can only be passed through environment variables which can be problematic when benchmark/scanner tools are used, see: https://avd.aquasec.com/compliance/kubernetes/cis-kubernetes-benchmarks-v1.23-1.23/5.4.1/ or bind mounts.

Enabling the _FILE option would allow for a cleaner implementation in the chart and is consistent with other official docker image behavior.

Possible Solution

The docker entry point could be updated to use COUCHDB_ADMIN_USER_FILE, COUCHDB_SECRET_FILE etc environment variables which have the path to a file holding the actual secret value.

Answer 1 · 2024-06-06T14:01:42.000Z

An alternative could be a URI-like format like authentik uses (https://docs.goauthentik.io/docs/installation/configuration#about-authentik-configurations).

services:
  couchdb:
    environment:
      # Original solution 
      COUCHDB_SECRET_FILE: /run/secrets/COUCHDB_SECRET
      # Solution like Authentik
      COUCHDB_SECRET: file:///run/secrets/COUCHDB_SECRET

I have seen your solution more often and it should be easier to implement, so I would prefer it. Just wanted to show a possible alternative.