-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxmox-exporter can't be parametrized with docker secrets #54
Comments
I'm not all that familiar with Docker Secrets, as I mostly use k8s, where their Secrets can be mounted into the container as environment variables. From what I can tell, Docker Secrets can only be mounted as files, with an ability to specify the path to the file in an environment variable. I can see where this wouldn't support that, as the code isn't written to take in files containing those values. Can you help me with understanding the value of Docker's version of "secrets"? They seem to just be a file on the host, versus an environment variable supplied to the container? And I guess the main security win for using them would be if you had a multi-tenant Docker host with multiple teams or otherwise unrelated people running Docker commands on that host from different linux users. And even at that point, if a person has the access to run docker commands, they usually have some form of root/sudo-ing privileges to interact with the docker daemon... Is that your use case? Seems fairly niche, and I'm not sure there's much value in Docker's version of "secrets" personally. Especially if it's not a multi-tenant docker host anyway. It just moves the secret from the docker-compose yaml file to different text file 🤔 |
And Docker Secrets seem even less useful for the multi-tenant docker host situation... The container for proxmox-exporter doesn't have a shell and all the binary utilities that tend to come alongside a linux shell. But in other containers, like Maybe some kind of situation where the host OS is multi-tenant but only my linux user has permission to run docker CLI commands? But that doesn't sound like a reasonable situation that would ever really occur. Let me know what your thoughts are on this, I'm leaning to not supporting Docker's Secrets because they seem a bit like security theater anyway. |
My apologies for wording it poorly from the start. My question is whether it is possible to add an option to read at least the token from an arbitrary file on the filesystem. That will allow the utilization of secret mechanics in both Kubernetes and Docker Swarm. I think the secret mechanics allow for the very effective decoupling of secret material from configuration which helps to avoid leaking sensitive data into the codebase. You are completely right that with sufficient access permissions on the host, a secret is not a secret regardless of whether it is in a file on tempfs or in the env variable: But again, the purpose of secrets is to allow people to share the working configuration in a public repo and be sure that secret material was not published. I'm aware of several ways how other projects usually achieve that:
|
I usually do this with j2-style templating, similar to Ansible's template module. But I'll usually make the file I put in git a j2 template, and render it and deploy it in CI using CI secrets added to the CI job's environment variables. There's a few tools for this besides Ansible, including j2cli, p2cli, and jinjanator. Noting that this is already a solved problem, I actually do think your ask here makes sense to do anyway for the sake of flexibility. But the way I'll probably solve it is with a configuration file, where you'd be able to mount a whole file containing all of the config parameters for proxmox-exporter. |
Somewhat related to this, for Kube I ended up adding something like that
to make it easier to work with my existing secret management system. |
I tried to populate
PROXMOX_EXPORTER_PROXMOX_TOKEN
andPROXMOX_EXPORTER_PROXMOX_TOKEN_ID
using docker secrets but failed to do so.I expected to use the trick I saw in Authentik: set environment variable with
file:///run/secrets/SOMESECRET
.That way, when processed in go code variable is set with the contents of file /run/secrets/SOMESECRET. Unfortunately, that did not work.
I'm not a GO expert in any approximation, but hopefully something similar to this https://github.com/goauthentik/authentik/blob/a6225ad7a7880a5e1e63225e81084e27c35fe626/internal/config/struct.go could be implementd for exporter?
Here's my log
The text was updated successfully, but these errors were encountered: