Sensitive data and Docker Compose Secrets (OD-1370)

I am using Docker Compose to deploy OneDev with an external database (MariadDB). And I'm trying to hide sensitive data with Docker Secrets. For MariaDB, I use "MARIADB_ROOT_PASSWORD_FILE" and "MARIADB_PASSWORD_FILE" instead of "MARIADB_ROOT_PASSWORD" and "MARIADB_PASSWORD" respectively. This works, but I can't find a way to insert "/run/secrets/secret" in "hibernate_connection_password" and "initial_password" in OneDev's environment section in docker-compose.yaml. Is it possible? Or is there another way not to use sensitive data in docker-compose.yaml?


volumes:
  onedev:
  mariadb:

services:
  nginx:
    container_name: nginx
    image: nginx
    volumes:
      - /etc/ssl/:/etc/ssl/
      - ./html:/usr/share/nginx/html
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/nginxconfig.io:/etc/nginx/nginxconfig.io
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    ports:
      - "##.###.##.###:80:80"
      - "##.###.##.###:443:443"

  onedev:
    container_name: 1dev
    image: 1dev/server
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - onedev:/opt/onedev
    environment:
      hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect
      hibernate_connection_driver_class: org.mariadb.jdbc.Driver
      hibernate_connection_url: jdbc:mariadb://mariadb:3306/onedev
      hibernate_connection_username: admin
      hibernate_connection_password: /run/secrets/db_password
      initial_user: admin
      initial_password: /run/secrets/onedev_password
      initial_email: [email protected]
      initial_server_url: localhost:6610
    secrets:
      - db_password
      - onedev_password

  mariadb:
    container_name: mariadb
    image: mariadb
    restart: always
    environment:
      MARIADB_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
      #MARIADB_ROOT_HOST: localhost
      #MARIADB_MYSQL_LOCALHOST_USER: true
      MARIADB_DATABASE: onedev
      MARIADB_USER: admin
      MARIADB_PASSWORD_FILE: /run/secrets/db_password
      MARIADB_AUTO_UPGRADE: true
    secrets:
      - db_root_password
      - db_password
    volumes:
      - mariadb:/var/lib/mysql

  adminer:
    container_name: adminer
    image: adminer
    restart: always

secrets:
  db_password:
    file: .secrets/db_password.txt
  db_root_password:
    file: .secrets/db_root_password.txt
  onedev_password:
    file: .secrets/onedev_password.txt

Robin Shen changed fields 3 years ago
Name Previous Value Current Value
Type

Support Request

Improvement
Robin Shen commented 3 years ago

This is not possible currently. I converted this as an improvement request.
Vasiliy Kulikov commented 3 years ago

Ok, I'll wait for an update of the improvement. Should I close this issue?
Robin Shen commented 3 years ago

Just keep it open. Will be closed automatically when relevant code commits in.
Vasiliy Kulikov commented 3 years ago

Thank you.
OneDev changed state to 'Closed' 3 years ago
Previous Value Current Value
Open

Closed
OneDev commented 3 years ago

State changed as code fixing the issue is committed (54aa4d65)
OneDev changed state to 'Released' 3 years ago
Previous Value Current Value
Closed

Released
OneDev commented 3 years ago

State changed as build #3638 is successful
Robin Shen commented 3 years ago

Check this for environment variables to store password in file:

https://docs.onedev.io/installation-guide/run-as-docker-container
Vasiliy Kulikov commented 3 years ago

Check this for environment variables to store password in file:

https://docs.onedev.io/installation-guide/run-as-docker-container

I've already tested it. It works => I'm happy. Only I haven't tested yet on restoring from backup, but I hope everything will be fine there. You are making improvements so fast... I'm impressed. Thank you! 👍
Login to comment

Name	Previous Value	Current Value
Type	Support Request	Improvement

Previous Value	Current Value
Open	Closed

Previous Value	Current Value
Closed	Released

Type	Improvement
Priority	Normal
Assignee	Robin Shen

Issue Votes (0)

Watchers (4)

Reference

OD-1370