Add support for Docker Secrets by reading secrets files · hasura/graphql-engine#3989

(19 评论) (27 反应) (1 负责人)TypeScript (31,371 star) (2,787 fork)batch import

a/securityc/serverhelp wantedk/enhancement

描述

Currently, the only way to pass secrets (DB credentials, Hasura admin secret) to Hasura is only by environment variables. For users of Docker Compose or Docker Swarm, this means these secrets have to be stored in plaintext, which presents security risks.

It would be great to build support for Docker Secrets (or even Vault), by adding the following environment variables, as recommended by Docker:

HASURA_GRAPHQL_ACCESS_KEY_FILE
HASURA_GRAPHQL_DATABASE_URL_FILE

If these variables are present, the access key and DB URL should be read from the corresponding files.

Docs: https://docs.docker.com/engine/swarm/secrets/#build-support-for-docker-secrets-into-your-images

贡献者指南

技术栈: typescriptnodejsgraphqldocker
领域: backendsecurityinfrastructure
议题类型: feature
难度: 3
预计时间: half day
活动状态: stale
清晰度: clear
前置要求: Familiarity with Hasura configurationDocker basicsFile I/O in Node.jsEnvironment variable handling
新手友好度: 55
研究方向: Investigate the current environment variable loading mechanism in the Hasura GraphQL Engine codebase, likely in the server startup scripts or configuration module. Look for existing handling of HASURA GRAPHQL ACCESS KEY and HASURA GRAPHQL DATABASE URL. Implement logic to check for the FILE variants and read the contents from the specified file paths. Review Docker documentation for best practices. Consider edge cases like missing files, permissions, and relative paths. The issue has 19 comments that may contain additional guidance.