Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for reading passwords from _FILE suffixed env vars #1881

Closed
wants to merge 1 commit into from

Conversation

miralgj
Copy link

@miralgj miralgj commented Sep 20, 2023

Read sensitive values from _FILE suffixed env vars. Request #1868

@acelaya
Copy link
Member

acelaya commented Nov 5, 2023

Sorry for the long delay before coming back to you, and thanks for the contribution.

I just wanted to let you know that this is on my radar, but there's a lot on my plate at the moment when it comes to Shlink, so I'm trying to keep focused on the planned work.

That said, I read this when it was created, and I have some concerns with the approach (mainly with its complexity, as those bash lines are very hard to understand, even though they do the job).

The only reason I haven't followed up is that I didn't have the time to put some thought on this, so keep it tight.

I will try to get back to this early next year. Hopefully I have been able to publish Shlink 3.7 and shlink-web-client 4.0 by then and can save some mental space to get back to this.

@miralgj
Copy link
Author

miralgj commented Nov 5, 2023 via email

@Natetronn
Copy link

I'd love to see this implemented as well!

Although, if I may, I'd like to request more than just DB_PASSWORD and RABBITMQ_PASSWORD. I think there are quite a few other ones that could be added, including more of the DB env vars (user names, ports and hosts, for example) and also some more from the other 3rd party services.

Not sure it matters, or is even helpful or not, since Splink's env vars probably won't carry over, but I thought I'd add some context from the DBs about their env vars. These are the ones that have a _FILE version. Maybe researching into how they are managing their implementations could be insightful:

postgres - Source

image

MySQL - Source

image

MariaDB - Source

image

Note: I didn't see any on MSSQL's DockerHub, but it's possible they exist.

@acelaya
Copy link
Member

acelaya commented Feb 10, 2024

As I mentioned in my first comment, my main concern with this approach is that it's quite complex to follow.

I'm working on a different approach implemented in PHP, which is easier to read and test.

I appreciate the effort @miralgj. Your implementation has definitely paved the road and simplified next steps.

@acelaya acelaya closed this Feb 10, 2024
@acelaya
Copy link
Member

acelaya commented Feb 10, 2024

This should do the trick #1994. I have just tested it locally and seems to work.

One benefit of that approach is that it supports the _FILE suffix on any existing and future env var.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants