Sensitive data and Docker Compose Secrets (OD-1370)

Vasiliy Kulikov opened 1 year ago

I am using Docker Compose to deploy OneDev with an external database (MariadDB). And I'm trying to hide sensitive data with Docker Secrets. For MariaDB, I use "MARIADB_ROOT_PASSWORD_FILE" and "MARIADB_PASSWORD_FILE" instead of "MARIADB_ROOT_PASSWORD" and "MARIADB_PASSWORD" respectively. This works, but I can't find a way to insert "/run/secrets/secret" in "hibernate_connection_password" and "initial_password" in OneDev's environment section in docker-compose.yaml. Is it possible? Or is there another way not to use sensitive data in docker-compose.yaml?


volumes:
  onedev:
  mariadb:

services:
  nginx:
    container_name: nginx
    image: nginx
    volumes:
      - /etc/ssl/:/etc/ssl/
      - ./html:/usr/share/nginx/html
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/nginxconfig.io:/etc/nginx/nginxconfig.io
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    ports:
      - "##.###.##.###:80:80"
      - "##.###.##.###:443:443"

  onedev:
    container_name: 1dev
    image: 1dev/server
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - onedev:/opt/onedev
    environment:
      hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect
      hibernate_connection_driver_class: org.mariadb.jdbc.Driver
      hibernate_connection_url: jdbc:mariadb://mariadb:3306/onedev
      hibernate_connection_username: admin
      hibernate_connection_password: /run/secrets/db_password
      initial_user: admin
      initial_password: /run/secrets/onedev_password
      initial_email: admin@example.com
      initial_server_url: localhost:6610
    secrets:
      - db_password
      - onedev_password

  mariadb:
    container_name: mariadb
    image: mariadb
    restart: always
    environment:
      MARIADB_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
      #MARIADB_ROOT_HOST: localhost
      #MARIADB_MYSQL_LOCALHOST_USER: true
      MARIADB_DATABASE: onedev
      MARIADB_USER: admin
      MARIADB_PASSWORD_FILE: /run/secrets/db_password
      MARIADB_AUTO_UPGRADE: true
    secrets:
      - db_root_password
      - db_password
    volumes:
      - mariadb:/var/lib/mysql

  adminer:
    container_name: adminer
    image: adminer
    restart: always

secrets:
  db_password:
    file: .secrets/db_password.txt
  db_root_password:
    file: .secrets/db_root_password.txt
  onedev_password:
    file: .secrets/onedev_password.txt

Robin Shen changed fields 1 year ago

Name	Previous Value	Current Value
Type	Support Request	Improvement

Robin Shen commented 1 year ago

This is not possible currently. I converted this as an improvement request.

Vasiliy Kulikov commented 1 year ago

Ok, I'll wait for an update of the improvement. Should I close this issue?

Robin Shen commented 1 year ago

Just keep it open. Will be closed automatically when relevant code commits in.

Vasiliy Kulikov commented 1 year ago

Thank you.

OneDev changed state to 'Closed' 12 months ago

Previous Value	Current Value
Open	Closed

OneDev commented 12 months ago

State changed as code fixing the issue is committed (54aa4d65)

OneDev changed state to 'Released' 12 months ago

Previous Value	Current Value
Closed	Released

OneDev commented 12 months ago

State changed as build #3638 is successful

Robin Shen commented 12 months ago

Check this for environment variables to store password in file:

https://docs.onedev.io/installation-guide/run-as-docker-container

Vasiliy Kulikov commented 12 months ago

Check this for environment variables to store password in file:

https://docs.onedev.io/installation-guide/run-as-docker-container

I've already tested it. It works => I'm happy. Only I haven't tested yet on restoring from backup, but I hope everything will be fine there. You are making improvements so fast... I'm impressed. Thank you! 👍