Add support for docker compose secrets #430
Open
+62
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Docker Compose supports [secrets](https://docs.docker.com/compose/how-tos/use-secrets/) through mounting files in `run/secrets` with appropriate permissions. This is safer than passing them on the command line or directly through environment variables as it avoids the risk of the values showing up in execution history or logs. Some other docker containers such as [MySQL](https://hub.docker.com/_/mysql) support this through the use of environment variable with `_FILE` appended, allowing for the variable to be set from a file rather than directly. I have copied the same logic from the MySQL `docker-entrypoint.sh`, instead choosing to append `_file` as it fits Ghost's config variables better. I have tested this with my own setup by swapping out the `docker-entrypoint.sh` file in docker compose, and selected the following variables for `_file` support: - `database__connection__host` - `database__connection__user` - `database__connection__password` - `database__connection__database` - `mail__auth__user` - `mail__auth__pass` I hope this is useful to someone else, and I don't believe it adds unnecessary complexity to the containers, or removes any existing functionality.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #429.
Docker Compose supports secrets through mounting files in
/run/secretswith appropriate permissions.This is safer than passing them on the command line or directly through environment variables as it avoids the risk of the values showing up in execution history or logs.
Some other docker containers such as MySQL support this through the use of environment variable with
_FILEappended, allowing for the variable to be set from a file rather than directly.I have copied the same logic from the MySQL
docker-entrypoint.sh, instead choosing to append_fileas it fits Ghost's config variables better.I have tested this with my own setup by swapping out the
docker-entrypoint.shfile in docker compose, and selected the following variables for_filesupport:database__connection__hostdatabase__connection__userdatabase__connection__passworddatabase__connection__databasemail__auth__usermail__auth__passI hope this is useful to someone else, and I don't believe it adds unnecessary complexity to the containers, or removes any existing functionality.