-
Couldn't load subscription status.
- Fork 219
Allow loading secrets from mounted files rather than ENV vars #488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
This allows keys from kubernetes secrets to be mounted as files to avoid exposing them in the ENV.
Thanks for contribution, supporting secrets generally looks like a good idea to me and the code is pretty effective. What might not be perfect is to have all secrets available as ENV for the main container process. So, these are my thoughts:
We should likely allow-list variables handled like this. There might be other secrets (private/public keys, certificate) that must be handled differently than putting to the variable and also all the real secretes (passwords, private keys) should not be set for the postmaster process (should be explicitly unset), because the databases itself is so complex, that getting it from the process might be possible by unauthorized users and thus would create a security issue.
Plus we should have a test for this, and include it in the README.md.
I cannot find any guidance what path is recommended for the secrets like this, /run/secrets/postgresql/ does not look wrong, just would like to use something as close as possible to some usual usage (if there is something like this).
@pkubatrh I wonder whether this might be a good learning task for Ondra or Adam (includes some small piece of research).
[test]
1 similar comment
[test]
Pull Request validation
Failed
🔴 Review - Missing review from a member (1 required)
Success
🟢 CI - All checks have passed
Uh oh!
There was an error while loading. Please reload this page.
This allows keys from kubernetes secrets to be mounted as files to avoid exposing them in the ENV.