Skip to content

Support docker secrets for sensitive data #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bj00rn wants to merge 1 commit into from
Closed

Support docker secrets for sensitive data #365

bj00rn wants to merge 1 commit into from

Conversation

@bj00rn
Copy link

@bj00rn bj00rn commented Jun 28, 2025
edited
Loading

Support docker secrets for sensitive data

Support docker secrets for sensitive data

Use corresponding ENV variable with _FILE suffix to read argument from file

Order of precedence is

  1. If ENV variable is set, always value of ENV variable as default
  2. If ENV_FILE variable is not falsy, use value to read default from file

@bj00rn bj00rn force-pushed the feat/support-docker-secrets branch from 3c6e662 to c26264c Compare June 28, 2025 14:18
@bj00rn
Support docker secrets for sensitive data
c0ae7aa 
Use corresponding ENV variable with _FILE suffix to read argument from file

Order of precedence is

1. If ENV variable is set, always value of ENV variable as default
2. If ENV_FILE variable is not falsy, use value to read default from file
@bj00rn bj00rn force-pushed the feat/support-docker-secrets branch from c26264c to c0ae7aa Compare June 28, 2025 14:23
@nanomad
Copy link
Contributor

nanomad commented Jun 29, 2025
edited
Loading

@bj00rn Good point, but I'd rather rely on a more generic approach than to extend the already kind of unmaintanable parser.

I'd integrate a library such as python-dotenv and replace EnvDefault to lookup the data from the values coming from there instead.

from dotenv import dotenv_values

config = {**dotenv_values(".env"), **os.environ}  # config = {"USER": "foo", "EMAIL": "[email protected]"}

@bj00rn
Copy link
Author

bj00rn commented Jun 30, 2025
edited
Loading

@bj00rn Good point, but I'd rather rely on a more generic approach than to extend the already kind of unmaintanable parser.

I'd integrate a library such as python-dotenv and replace EnvDefault to lookup the data from the values coming from there instead.

from dotenv import dotenv_values

config = {**dotenv_values(".env"), **os.environ}  # config = {"USER": "foo", "EMAIL": "[email protected]"}

Agree. There is a caveat with python-dotenv and docker-compose though since python-dotenv defaults to reading from .env file which is picked up by docker-compose IF the file is present in compose project root. Im guessing a lot of less experienced users will fall into this trap.

Bad example

# docker-compose.yml
services:
  mqtt-gateway
...
  volumes:
    - ./.env # <-- problematic since .env is already read by compose and variables already set globally in the container.

Working example

# docker-compose.yml
services:
  mqtt-gateway
...
  volumes:
    - ./.config.env:/.env

@bj00rn
Copy link
Author

bj00rn commented Jul 1, 2025

#366

@nanomad
Copy link
Contributor

nanomad commented Jul 1, 2025

@bj00rn Agreed but I'd rather supply a proper compose instead

@nanomad nanomad closed this Jul 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bj00rn @nanomad