Skip to content

Pass OAuth settings as secrets #1

New issue
New issue
Open
Open
Pass OAuth settings as secrets#1
@rschaaf-aifa

Description

@rschaaf-aifa
rschaaf-aifa
opened on Mar 8, 2023

Passing the OAuth settings as environment variables has the disadvantage that this sensible information must be specified e.g. in docker-compose.yml. This file is typically checked into Github, which is discouraged when a file contains sensible information.

docker-compose offers as a better alternative secrets. While the full power of secrets requires docker to run in swarm mode, secrets are useful even without swarm mode. As an example, see hk-influxdb.py and docker-compose.yml in housekeeping: In the docker-compose file the secret influxdb_token_write_housekeeping is defined:

secrets:
...
    influxdb_token_write_housekeeping:
        file: ./secrets/influxdb_token_write_housekeeping.txt
...

The file ./secrets/influxdb_token_write_housekeeping.txt contains a single line with the (secret) token and is protected against uplaod to github by a .gitignore file.

Still in docker-compose.yml, the secret is attached to the service hk-influxdb:

 hk-influxdb:
...
    secrets:
        - influxdb_token_write_housekeeping
    environment:
        - INFLUXDB_TOKEN_FILE=/run/secrets/influxdb_token_write_housekeeping

At runtime, the file ./secrets/influxdb_token_write_housekeeping.txt is available in the container as /run/secrets/influxdb_token_write_housekeeping. This filename is constructed from the name of the secret and passed into the container as environment variable INFLUXDB_TOKEN_FILE.

In the container, the secret is used inhk-influxdb.py as follows:

INFLUXDB_TOKEN = os.getenv("INFLUXDB_TOKEN")
if INFLUXDB_TOKEN is None:
    INFLUXDB_TOKEN_FILE = os.getenv("INFLUXDB_TOKEN_FILE")
    with open(INFLUXDB_TOKEN_FILE) as pwfile:
        for line in pwfile:
            INFLUXDB_TOKEN = line.strip()

This allows INFLUXDB_TOKEN to be passed into the container as normal environment variable (discouraged, see above). If the environment variable is not set, the token is read from INFLUXDB_TOKEN_FILE which contains the content of the protected file ./secrets/influxdb_token_write_housekeeping.txt.

I suggest to implement such a behaviour for the sensible parts of the OAuth settings in authn-proxy as well.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions