How to handle secret injection
Pascal-Orthopy opened this issue ยท 9 comments
Hi all,
we are running Nhost v2 in a self-hosted Kubernetes cluster and using a vault that can only inject secrets (S3_ACCESS_KEY, S3_SECRET_KEY, ...) as a file. With all other services (hasura, hasura-auth) it was easy because we can override the entrypoint and run the injected file as a script and then run the origin command (example: /bin/sh /secrets/env pnpm run start).
But with Hasura-Storage we have some problems. Is there any way to inject Secrets (it's only one volume) and use this injected file as a script before starting the Hasura storage server?
We also saw that there is a "-config" flag, but I can't find any more information about the this flag.
Maybe this could be the way to inject a config file with all secrets?
Additional Information
After some research, it should be possible to set up a .env file as config file that is read by viper.
https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L48
But how is this done? I mounted a volume and tried to set it as config file:
docker run -v "/Users/ph/Documents/project/secrets:/secrets" --rm -i -t nhost/hasura-storage:0.2.4 serve --debug --config "/secrets/.env"
But in the output it shows that is has not reached the correct condition:
The condition always ends up in this block
https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L51
What is needed to set this part?
https://github.com/nhost/hasura-storage/blob/main/cmd/root.go#L46
Sorry, but I am not familiar with go-lang :/
Additional Information:
Hello,
looks like we weren't reading configuration files properly #111 should fix it. You can build a docker image with make build-docker-image (takes a while as it needs to build libvips).
With that fixed you can just pass a configuration file with whatever contents you want, just match the keys with the flag names. For instance:
# hasura-storage.yaml
---
s3-access-key: asdasdas
s3-secret-key: qweqweqw
s3-bucket: my-bucket
And then start the container as you were attempting:
docker run \
-v "/path/to/secret/:/config" \
--rm -it \
$IMAGE \
serve --config=/config/hasura-storage.yaml --debug
Hello, thanks for the reply and the solution. Until you release the new version, I will build and test the image myself, just as you described.
Let me know if it works, if it does I will release right away.
@dbarrosop Seems to work, the configuration is used correctly.
I could only test it locally and there I have only a light setup.
Don't worry, the secrets in the screenshots are the same from this file, I just used it for the test:
Hi @dbarrosop @elitan , any chance we might have a fresh release soon? :) Happy to provide instant feedback if it also works in our dev system then.
Many thanks!
I am trying to release but Github Actions seems to be misbehaving and isn't running the release workflow. I will update here when I managed to get it running.
Ok, new version has been released; docker.io/nhost/hasura-storage:0.2.5.
Let me know how it goes.
@dbarrosop Thanks, works and runs now in our system, I close this solved Issue.