Add support for Docker Secrets by reading secrets files #3989
Comments
|
@dcultrera Do you mean document this way of adding the secret in docker-compose? (I don't think Hasura needs to provide any support for this, this is a pure docker thing?) |
|
Hi @tirumaraiselvan, thanks for your reply! I don't think is purely a Docker thing: when Hasura starts up, it expects to receive those credentials as environment variables. The proposed change is to enable Hasura to read them from the specified files. Docker Compose/Swarm is not the only orchestrator that suggests passing credentials this way. For example, Hashicorp's Nomad does the same with Vault secrets: they are made available to a container as files, without the host system being aware of the secrets themselves. |
|
@dcultrera Gotcha! This makes sense. |
tirumaraiselvan
added
the
k/enhancement
|
@tirumaraiselvan thanks! I'd be happy to try and make a PR for this myself :) could I have some pointers as to where to get started? |
|
@dcultrera That'd be awesome. You will need to add a server flag/environment variable. You can see this file where all server start options are specified: https://github.com/hasura/graphql-engine/blob/master/server/src-lib/Hasura/Server/Init.hs . Then you need to resolve this new flag/variable in here: https://github.com/hasura/graphql-engine/blob/master/server/src-lib/Hasura/Server/Init.hs#L325 |
|
@tirumaraiselvan thank you for your help! I will have a go at it soon :) |
|
@dcultrera Did you have a chance to look at implementing this? |
|
@dcultrera Any updates on this ticket? |
|
Thanks for the update @dcultrera @D3CK3R I'm handling this in a custom Docker image (required for a different migration strategy), so won't be in a position to contribute either sorry. |
|
Is there any workaround for this issue until fixed? It really seems like a bad idea in 2020 to just paste a superuser postgres password in plaintext. |
|
Here's a workaround to use docker secrets: graphql-engine:
image: hasura/graphql-engine:v1.3.0
command: sh -c 'graphql-engine --database-url "postgres://postgres:$$(cat /run/secrets/postgres_pass)@db:5432/postgres" serve --admin-secret "$$(cat /run/secrets/admin_secret)"'
secrets:
- postgres_pass
- admin_secretObviously, you'll need to fill in the rest of the config like networks, ports, etc. You can still pass environment variables like |
|
Can we get an update on this issue from the Hasura team? I was using the workaround above by @korylprince, but it doesn't work with the cli-migrations-v2 image. |
tirumaraiselvan
added
the
help wanted
|
You can also store the secrets in a |
Environment variables can be unintentionally leaked between containers. This is why this issue deserves a higher priority if you ask me. |
|
Its been two years. |
|
Actually the HASURA_GRAPHQL_DYNAMIC_SECRETS_ALLOWED_PATH_PREFIX does what we need. Like every variable could follow the |
|
I looked around and is it correct that changes need to be made to just this file: |
|
You could add it to the |
Currently, the only way to pass secrets (DB credentials, Hasura admin secret) to Hasura is only by environment variables. For users of Docker Compose or Docker Swarm, this means these secrets have to be stored in plaintext, which presents security risks.
It would be great to build support for Docker Secrets (or even Vault), by adding the following environment variables, as recommended by Docker:
If these variables are present, the access key and DB URL should be read from the corresponding files.
Docs: https://docs.docker.com/engine/swarm/secrets/#build-support-for-docker-secrets-into-your-images
The text was updated successfully, but these errors were encountered: