Skip to content

Use docker secrets for EDL credentials#134

Merged
chuckwondo merged 1 commit intodevelopfrom
docker-secrets
Feb 9, 2026
Merged

Use docker secrets for EDL credentials#134
chuckwondo merged 1 commit intodevelopfrom
docker-secrets

Conversation

@chuckwondo
Copy link
Contributor

@chuckwondo chuckwondo commented Feb 5, 2026

Fixes #126

@chuckwondo chuckwondo requested a review from hrodmn February 5, 2026 15:41
hrodmn
hrodmn approved these changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@hrodmn hrodmn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flexibility of being able to use .netrc or the EARTHDATA_* env vars is nice, but my preference would be to just require the env vars for simplicity's sake. The (gitignored) plain text files for credentials feels clunky to me, but I trust your judgement on this @chuckwondo!

docker-compose.yml
Comment on lines +7 to +10
earthdata-username:
file: ./secrets/earthdata-username.txt
earthdata-password:
file: ./secrets/earthdata-password.txt
Copy link
Contributor

@hrodmn hrodmn Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could all be a lot simpler if we simply instructed users to set the EARTHDATA_USERNAME and EARTHDATA_PASSWORD env vars. Then we wouldn't need the secret-writing script.

Suggested change
earthdata-username:
file: ./secrets/earthdata-username.txt
earthdata-password:
file: ./secrets/earthdata-password.txt
earthdata-username:
environment: "EARTHDATA_USERNAME"
earthdata-password:
environment: "EARTHDATA_PASSWORD"

Copy link
Contributor Author

@chuckwondo chuckwondo Feb 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, using the env vars for the secrets is unreliable. There's a known issue for docker compose where it does not properly pass through the env vars to the secrets for docker, which is why I ended up going the route of the files, which is completely reliable, if a bit clunky.

It is possible for the env vars to be defined, but when building the image via docker compose, the secrets are populated as empty strings. In our case, that means the .netrc is written with blank values for the username and password, so the image is built without error, but when the app starts, it bombs because the creds are blank.

I had originally taken the approach you suggested above, but ran into this issue, which drove me nuts until I found the various issues around this. Some are marked as closed, but there still seems to be a problem, which might be macOS-specific, but I really don't know.

Unfortunately, the only reliable alternative was the file-based approach.

Copy link
Contributor Author

@chuckwondo chuckwondo Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, if you feel this is perhaps too annoying, I'd be willing to avoid dealing with docker secrets since this is only for local development, so there's no serious security concern if we stick with env vars.

Let me know if that's what you'd prefer and I'll just close this PR without merging, and mark the related issue as "not planned".

@chuckwondo chuckwondo merged commit a71fd03 into develop Feb 9, 2026
4 checks passed
@chuckwondo chuckwondo deleted the docker-secrets branch February 9, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hrodmn hrodmn hrodmn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use Docker secrets for Earthdata Login credentials for local development

2 participants

@chuckwondo @hrodmn