Mount secrets as files

RaviTeja_K · August 18, 2022, 3:17pm

My app requires tls certs in a path. Is it possible to mount secrets as files

rophilogene · August 18, 2022, 3:27pm

I think you will find the answer in this thread. Let me know if it’s not the case.

RaviTeja_K · August 18, 2022, 3:31pm

Thanks Romaric! I’ve seen this solution. Does this mean that I’ve to modify my application to use env variables instead of files?

If so, these are significant changes from my end. Is there any other way to mount secrets?

rophilogene · August 18, 2022, 3:50pm

I think it’s a best practice to use environnement variables instead of files in a cloud native context. So I’ll highly suggest to make those changes.

RaviTeja_K · August 18, 2022, 4:02pm

@rophilogene Maybe for new applications. But there are third party opensource applications (that we depend on) which use files

RaviTeja_K · August 20, 2022, 11:11am

@rophilogene Is it ok if apply kube secrets on my environment directly via kubectl?

rophilogene · August 20, 2022, 11:26am

Can you give more details about the application you need to deploy?

I’d not recommend. Qovery provides everything you need to manage secrets. (minus mounting a secret file since it’s a bad practice in our experience)

Secret documentation is available here:

https://hub.qovery.com/docs/using-qovery/configuration/secret/

RaviTeja_K · August 20, 2022, 11:31am

I want to deploy mosquitto broker. There are several options in config file which requires file paths (for ca, server certs and acls)

rophilogene · August 24, 2022, 10:20am

You need then to put a mosquitto.conf file and load the secrets from the Qovery secrets.

RaviTeja_K · August 24, 2022, 11:00am

mosquitto.conf is not the problem. File paths in mosquitto conf is the issue

E.g contents of mosquitto.conf

# location of ca certificate file
cafile /etc/certs/ca.cert.pem
# location of server certificate file
certfile /etc/certs/server.cert.pem
# location server key file
keyfile /etc/certs/server.key.pem

Mosquitto server during runtime expects these files in the above defined paths (in mosquitto.conf).

I realize I can include regular files in the docker image but these are sensitive files which vary per environment

I’ve taken mosquitto server as a example to demonstrate applications depending on secret files (instead of secret env variables) but I feel this is a very common pattern for servers

Pierre_Mavro · August 24, 2022, 12:45pm

Hi @RaviTeja_K ,

I think your point is a good one. Could you please make a request to our public roadmap, so you can follow it https://roadmap.qovery.com.

In the meantime, what I can suggest to you is to base64 the content of your file, set it as an environment variable, then just before running your app (in the RUN/ENTRYPOINT part of your Dockerfile), check if this var exists, bade64 decode it and store the output in a file.

Small example of your Dockerfile:

ADD run.sh /
RUN ["/run.sh"]

And in the run.sh:

if [[ -z "${SECRET_FILE}" ]]; then
  echo "SECRET_FILE is undefined"
else
  echo "SECRET_FILE found"
  echo $SECRET_FILE | base64 -d > /secret
fi

/my_app -f /secret

So your program will be able to read it. Would it be ok for you?

RaviTeja_K · August 24, 2022, 12:58pm

@Pierre_Mavro That’s a good work around. Thanks!

Topic		Replies	Views
No access to /mnt from nodejs Questions and Answers qovery	6	1360	March 25, 2024
How to copy files from persisting storage to computer Questions and Answers qovery	2	417	March 25, 2024
FTP to server Questions and Answers qovery , aws-ec2	4	132	January 31, 2024
Internal applications Questions and Answers	10	665	March 25, 2024
[UPCOMING FEATURE] Helm chart deployment News	0	144	November 28, 2023

Mount secrets as files

Related Topics