Skip to content

feat: add support for secret environment files#3

Open
hbenali wants to merge 3 commits intomasterfrom
secrets
Open

feat: add support for secret environment files#3
hbenali wants to merge 3 commits intomasterfrom
secrets

Conversation

@hbenali
Copy link
Copy Markdown
Contributor

@hbenali hbenali commented Oct 8, 2025
edited
Loading

This commit introduces support for managing sensitive environment variables using secret files in the eXo Platform Docker image.

  • Environment variables prefixed with EXO_SEC_ and suffixed with _FILE are read from the specified file paths.
  • The file contents are exported as standard environment variables for use by the application.
  • Enables secure handling of passwords, API keys, and private keys without hardcoding them in Docker commands or Compose files.

Example usage:

  • EXO_SEC_DB_PASSWORD_FILE=/run/secrets/exo_db_password
  • EXO_SEC_MAIL_SMTP_PASSWORD_FILE=/run/secrets/exo_mail_smtp_password

bourasom
bourasom approved these changes Oct 23, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@bourasom bourasom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bourasom
Copy link
Copy Markdown
Contributor

bourasom commented Oct 23, 2025

if both envs (with SEC and without) are put, is there a priority? Shall We add test on that?

hbenali and others added 2 commits March 26, 2026 07:21
@hbenali @houssemexo26
feat: add support for secret environment files
9978dc4 
This commit introduces support for managing sensitive environment variables
using secret files in the eXo Platform Docker image.

- Environment variables prefixed with EXO_SEC_ and suffixed with _FILE
  are read from the specified file paths.
- The file contents are exported as standard environment variables for
  use by the application.
- Enables secure handling of passwords, API keys, and private keys
  without hardcoding them in Docker commands or Compose files.

Example usage:
  EXO_SEC_DB_PASSWORD_FILE=/run/secrets/exo_db_password
  EXO_SEC_MAIL_SMTP_PASSWORD_FILE=/run/secrets/exo_mail_smtp_password
@houssemexo26
Add priority check
a5a8354
@houssemexo26
Copy link
Copy Markdown
Contributor

houssemexo26 commented Mar 26, 2026
edited
Loading

if both envs (with SEC and without) are put, is there a priority? Shall We add test on that?

Yes, direct environment variables should take priority over file-based secrets. This is the standard pattern in containerized environments (Docker Compose, Kubernetes). Added tests to verify:

  1. Direct variable > file secret when both exist

  2. File loads only when the direct variable is absent

  3. _FORCE flag allows override when needed

The priority logic prevents secrets from accidentally overriding explicit configuration and makes behavior predictable. Tests will catch regressions.

@houssemexo26 houssemexo26 requested a review from bourasom March 26, 2026 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bourasom bourasom Awaiting requested review from bourasom

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hbenali @bourasom @houssemexo26