Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for docker secrets #29

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added support for docker secrets #29

wants to merge 3 commits into from

Conversation

DennisGaida
Copy link

Right now the bouncer API key needs to be hardcoded in the compose file and/or in the external .env. The current best practice is to leverage docker secrets that are not only supported in swarm mode, but also from docker compose.

I have added a basic implementation within the RequiredEnv function, that allows the use of <environment_variable_name>+_FILE instead of <environment_variable_name>. So CROWDSEC_BOUNCER_API_KEY becomes CROWDSEC_BOUNCER_API_KEY_FILE. If said [...]_FILE variable exists the value is read from the file and returned from the RequiredEnv function.

I'd greatly appreciate some testing since logging from config.go seems kind of impossible? Even the existing log.Fatalf() entries I never get to see in the docker logs (though the container doesn't start).

Example docker-compose:

version: "3.8"

secrets:
  crowdsec_bouncer_api_key:
    file: /secretsPath/crowdsec_bouncer_api_key

services:
  bouncer:
    build: .
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer
    environment:
      CROWDSEC_BOUNCER_API_KEY_FILE: /run/secrets/crowdsec_bouncer_api_key
      CROWDSEC_AGENT_HOST: crowdsec:8123
    secrets:
      - crowdsec_bouncer_api_key

fbonalair
fbonalair requested changes Sep 18, 2022
View reviewed changes
Copy link
Owner

@fbonalair fbonalair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution, that's a great idea.
My design of the app is not the best, so testing is not as easy as I would like ...
I have put some feedback to your change. Once they are fine I will merge it and add comments in the README.

config/config.go Outdated Show resolved Hide resolved
config/config.go
*/
func RequiredEnv(varName string) string {
envVar := os.Getenv(varName)
if envVar == "" {
envVarFileName := os.Getenv(varName + "_FILE")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of adding a "_FILE" suffix, then you have a value, could you detect if the environment value is a valid file path ? For example with the function os.Stat(path).
Like that, you have one less nest in the if statement, so it's more streamlined while still being able to get different logs for direct value vs file value.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could do that and you are the maintainer.

I use a lot of containers and the de facto standard is to use different named environment variables for your secrets. Linuxserver.io (which provide a loooot of container) use the FILE__<env-var> nomenclature (see e.g. https://hub.docker.com/r/linuxserver/mariadb) for their s6-overlay. Many other containers I know use the <env-var>_FILE nomenclature.

I'm not very opinionated and can also go with the os.Stat(path) if you tell me to do so.

config/config.go Outdated
} else if envVar == "" && envVarFileName != "" {
envVarFromFile, err := os.ReadFile(envVarFileName)
if err != nil {
log.Fatalf("Could not read env var from file %s. Exiting", envVarFileName)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First, nice error message ! That would help the user.
Second, to go further, also send the "root" error back to the user. That would make debugging easier : was it a miss-configuration and file is not present? Or app can't read the file because of permission ? etc etc

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also outputting the original error in DennisGaida@fba0274

Please note that ReadFile doesn't guarantee any specific behavior besides no-error == nil. I hope that using %v is the right thing to do, but seeing other error checking code, usually specific errors are caught, like "file not found" or "path invalid".

@DennisGaida
Removed reference to docker
cc5ded7
@DennisGaida
output the error message when readfile fails
fba0274 
note: ReadFile doesn't guarantee any specific behavior except err==nil when successful.
@codeclimate
Copy link

codeclimate bot commented Sep 20, 2022

Code Climate has analyzed commit fba0274 and detected 0 issues on this pull request.

View more on Code Climate.

dsbferris added a commit to dsbferris/traefik-crowdsec-bouncer that referenced this pull request Aug 27, 2023
@dsbferris
Merged fbonalair#29 (_FILE) from original repo.
74d2e59
@MrInterBugs MrInterBugs mentioned this pull request Oct 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fbonalair fbonalair fbonalair requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DennisGaida @fbonalair