Mount secrets as files

My app requires tls certs in a path. Is it possible to mount secrets as files

I think you will find the answer in this thread. Let me know if it’s not the case.

Thanks Romaric! I’ve seen this solution. Does this mean that I’ve to modify my application to use env variables instead of files?

If so, these are significant changes from my end. Is there any other way to mount secrets?

I think it’s a best practice to use environnement variables instead of files in a cloud native context. So I’ll highly suggest to make those changes.

@rophilogene Maybe for new applications. But there are third party opensource applications (that we depend on) which use files

@rophilogene Is it ok if apply kube secrets on my environment directly via kubectl?

Can you give more details about the application you need to deploy?

I’d not recommend. Qovery provides everything you need to manage secrets. (minus mounting a secret file since it’s a bad practice in our experience)

Secret documentation is available here:

I want to deploy mosquitto broker. There are several options in config file which requires file paths (for ca, server certs and acls)

You need then to put a mosquitto.conf file and load the secrets from the Qovery secrets.

mosquitto.conf is not the problem. File paths in mosquitto conf is the issue

E.g contents of mosquitto.conf

# location of ca certificate file
cafile /etc/certs/ca.cert.pem
# location of server certificate file
certfile /etc/certs/server.cert.pem
# location server key file
keyfile /etc/certs/server.key.pem

Mosquitto server during runtime expects these files in the above defined paths (in mosquitto.conf).

I realize I can include regular files in the docker image but these are sensitive files which vary per environment

I’ve taken mosquitto server as a example to demonstrate applications depending on secret files (instead of secret env variables) but I feel this is a very common pattern for servers

Hi @RaviTeja_K ,

I think your point is a good one. Could you please make a request to our public roadmap, so you can follow it https://roadmap.qovery.com.

In the meantime, what I can suggest to you is to base64 the content of your file, set it as an environment variable, then just before running your app (in the RUN/ENTRYPOINT part of your Dockerfile), check if this var exists, bade64 decode it and store the output in a file.

Small example of your Dockerfile:

ADD run.sh /
RUN ["/run.sh"]

And in the run.sh:

if [[ -z "${SECRET_FILE}" ]]; then
  echo "SECRET_FILE is undefined"
else
  echo "SECRET_FILE found"
  echo $SECRET_FILE | base64 -d > /secret
fi

/my_app -f /secret

So your program will be able to read it. Would it be ok for you?

@Pierre_Mavro That’s a good work around. Thanks! :slight_smile:

2 Likes