Hi Alex, That’s a good idea about file.
Can you please create a Jira about that ? Regards JB > Le 26 mai 2020 à 19:57, Alex Soto <alex.s...@envieta.com> a écrit : > > Thank you Mike, > > Still finding this too complex and less secure solution to an arguably common > problem (at least when using Docker). Currently, I can have the following in > a configuration file: > > org.ops4j.pax.web.ssl.password=${env:MYPASSWORD} > > And, as the documentation states: > >> Environment variables can be referenced inside configuration files using the >> syntax ${env:<name>} (e.g. property=${env:FOO} will set "property" to the >> value of the enviroment variable "FOO"). > > Karaf will use the value from the environment variable; however, with this > approach, the secret is replicated/copied in two places, 1) the default > location '/run/secrets/‘ put there by Docker engine, and in the environment > variable. > > I suppose one can think of simpler Karaf mechanism to inject values from > files in config files. For example, > > org.ops4j.pax.web.ssl.password=${file:/run/secrets/mypassword} > > So, when Karaf’s see the prefix $file: it will get the content of the file > and use it as the value of the configuration key. > This way, 1) I don’t have to write a complex script to copy the secret into > the environment variable and 2) the secret is only in one place. > > Best regards, > Alex soto > > > > >> On May 24, 2020, at 7:27 AM, Mike Hummel <m...@mhus.de >> <mailto:m...@mhus.de>> wrote: >> >> Hi Alex, >> >> I understand that you should not use the '-e' flags for secrets. A common >> way is to define the secret file with an environment flag and load it. And >> in this way you can sopport both. Environment and secrets. >> >> A nice sample is >> https://github.com/docker-library/wordpress/blob/master/docker-entrypoint.sh >> <https://github.com/docker-library/wordpress/blob/master/docker-entrypoint.sh> >> >> Regards, >> >> Mike >> >> >>> On 19. May 2020, at 18:22, Alex Soto <alex.s...@envieta.com >>> <mailto:alex.s...@envieta.com>> wrote: >>> >>> Thanks Mike, >>> >>> Yes, that would work, but wasn’t the secret mechanism added precisely to >>> avoid the unsafe environment variables? >>> >>> >>> Best regards, >>> Alex soto >>> >>> >>> >>> >>>> On May 18, 2020, at 2:57 PM, Mike Hummel <m...@mhus.de >>>> <mailto:m...@mhus.de>> wrote: >>>> >>>> Hi, >>>> >>>> store your secrets as bash script with >>>> >>>> key=value >>>> >>>> and include the secret in your start script >>>> >>>> . /run/secrets/credentials.sh >>>> >>>> Now the secrets are available as shell environment. >>>> >>>> Regards, >>>> >>>> Mike >>>> >>>> >>>>> On 5. May 2020, at 22:16, Alex Soto <alex.s...@envieta.com >>>>> <mailto:alex.s...@envieta.com>> wrote: >>>>> >>>>> I found using Docker Secrets a convenient a way to protect passwords when >>>>> running Docker containers. I know I can reference an environment >>>>> variables in Karaf's config files, but that is not very secure, or at >>>>> least less secure than secrets. For example, to configure a key store in >>>>> the Pax Web config file: org.ops4j.pax.web.cfg one would need to provide >>>>> a value for key org.ops4j.pax.web.ssl.password. The problem is how to >>>>> reference a secret, which is a file, as the value of this property? In >>>>> other words, I am looking for something like: >>>>> >>>>> org.ops4j.pax.web.ssl.password=$(cat /run/secrets/keystorepass) >>>>> >>>>> Is there anything similar or planned? >>>>> >>>>> (Same would be useful to configure the JAAS users in users.properties, >>>>> etc.) >>>>> >>>>> Best regards, >>>>> Alex soto >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >