Support for postgres database with password and docker secrets · pantsel/konga#323

(3 comments) (0 reactions) (0 assignees)JavaScript (4,258 stars) (810 forks)batch import

enhancementhelp wanted

Description

Hi, I'm currently planning a setup of kong and konga in a docker swarm environment and I got pretty far for now. The related part of my compose file:

  # kong:
  kong-migrations:
    image: "kong:1.0.0"
    command: kong migrations bootstrap
    depends_on:
      - postgres
    environment:
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: kong
      KONG_PG_HOST: postgres
      KONG_PG_USER: kong
    configs:
      - source: kong_entrypoint_overwrite
        target: /kong_entrypoint_overwrite.sh
        mode: 0770
    secrets:
      - postgres_user_passwd
    entrypoint:
      /kong_entrypoint_overwrite.sh
    deploy:
      restart_policy:
        condition: on-failure

  kong:
    image: "kong:1.0.0"
    depends_on:
      - postgres
      - kong-migrations
    environment:
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
      KONG_CASSANDRA_CONTACT_POINTS: postgres
      KONG_DATABASE: postgres
      KONG_PG_DATABASE: kong
      KONG_PG_HOST: postgres
      KONG_PG_USER: kong
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
    ports:
      - "9005:8000/tcp"
      - "9006:8001/tcp"
      - "9007:8443/tcp"
      - "9008:8444/tcp"
    configs:
      - source: kong_entrypoint_overwrite
        target: /kong_entrypoint_overwrite.sh
        mode: 0770
    secrets:
      - postgres_user_passwd
    entrypoint:
      /kong_entrypoint_overwrite.sh
    command:
      - kong
      - docker-start

  konga-prepare:
    image: pantsel/konga:next
    depends_on:
      - postgres
    # This is ugly and I really would like to get rid of having the password in plain text in the command
    command: "-c prepare -a postgres -u postgresql://konga:<secret_password>@postgres:5432/konga"
    deploy:
      restart_policy:
        condition: on-failure
    secrets:
      - postgres_user_passwd

  konga:
    image: pantsel/konga:next
    depends_on:
      - kong
    ports:
      - 9009:1337
    environment:
      - DB_ADAPTER=postgres
      - DB_HOST=postgres
      - DB_DATABASE=konga
      - DB_USER=konga
      - NODE_ENV=production
    configs:
    - source: konga_entrypoint_overwrite
      target: /konga_entrypoint_overwrite.sh
      mode: 0770
    secrets:
      - postgres_user_passwd
      - konga_jwt_token
    entrypoint:
      /konga_entrypoint_overwrite.sh

Currently I had to overwrite the entry point scripts of kong and konga to use docker secrets. The scripts are pretty simple and follows the schema:

export KONG_PG_PASSWORD=$(cat /run/secrets/postgres_user_passwd)
source /docker-entrypoint.sh "$@"

But I would really like to have support for something like:

environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_passwd

As supported in the postgres docker image. This would remove a lot of clutter from my compose file and I hope will benefit others that are trying to make their docker world a little bit safer. I'm pretty new to docker, but if you like I could try to create a PR for this feature.

Contributor guide

Tech stack: dockerpostgresqljavascriptnodejs
Domain: backenddevopssecurity
Issue type: feature
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: clear
Prerequisites: Basic Docker knowledgeNode.jsFamiliarity with environment variables
Newbie friendliness: 65
Research direction: Investigate the current Docker setup in the Konga repository, specifically the entrypoint scripts (e.g., /konga entrypoint overwrite.sh) and how database credentials are passed. Look at existing environment variables like DB ADAPTER, DB HOST, etc. See if any prior comments or PRs discuss this feature. The goal is to implement support for reading password from a Docker secret file, similar to the official PostgreSQL image.