Skip to content

Pass supervisord config through secrets#2

Open
BSchilperoort wants to merge 1 commit into
ESI-FAR:masterfrom
BSchilperoort:secrets
Open

Pass supervisord config through secrets#2
BSchilperoort wants to merge 1 commit into
ESI-FAR:masterfrom
BSchilperoort:secrets

Conversation

@BSchilperoort

@BSchilperoort BSchilperoort commented Jun 19, 2025

Copy link
Copy Markdown

secrets are still in .env.dev file and supervisord.conf. However, these are only passed through the file system upon container launch.

The ckan-docker-db image will still have the secrets inside its env, however I'm not sure if there's a way around this. The specific secrets are listed in the docker-compose.dev.yml file (under environment:).

The other containers (solr, datapushed, redis) don't contain any secrets.

@BSchilperoort

Copy link
Copy Markdown
Author

Note that the processes do have all the environment variables still, including secrets.

You need to run a bash terminal inside the container, and do, e.g.

cat /proc/67/environ where 67 is the PID of one of the programs started by supervisord.

e.g.;

cmd output
ckan@10aab8c19314:~$ cat /proc/67/environ --show-nonprinting
SUPERVISOR_GROUP_NAME=ckan^@CKAN__PLUGINS=image_view text_view datatables_view datastore datapusher envvars harvest ckan_harvester^@PYTHON_SHA256=4c68050f049d1b4ac5aadd0df5f27941c0350d2a9e7ab0907ee5eb5225d9d6b0^@POSTGRES_HOST=db^@CKAN__HARVEST__TIMEOUT=1^@CKAN__HARVEST__MQ__TYPE=redis^@SUPERVISOR_SERVER_URL=unix:///home/ckan/var/run/supervisor.sock^@HOSTNAME=10aab8c19314^@PYTHON_VERSION=3.10.17^@CKAN_SOLR_URL=http://solr:8983/solr/ckan^@POSTGRES_PASSWORD=FIXME_amixijYTpZEJvRkTNU5oqqNULcQLyX4hYCJsJr3mDoJQ^@CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:FIXME_cbaNVAkhyTdueY4ZfxkyrENZjX7hmg5C5CraZSkpuWPe@db/ckandb^@DATASTORE_READONLY_USER=datastore_ro^@CKAN_SYSADMIN_NAME=ckan_admin^@NGINX_SSLPORT=443^@CKAN__HARVEST__MQ__HOSTNAME=redis^@CKAN_PORT_HOST=5000^@CKAN_DATAPUSHER_URL=http://datapusher:8800^@NGINX_PORT_HOST=81^@CKAN_SITE_URL=http://localhost:5000^@PWD=/srv/app^@CKAN_STORAGE_PATH=/var/lib/ckan^@CKAN_SMTP_SERVER=smtp.corporateict.domain:25^@TZ=CET^@DATASTORE_READONLY_PASSWORD=datastore^@TEST_CKAN_SQLALCHEMY_URL=postgres://ckan:ckan@db/ckan_test^@CKAN_SYSADMIN_PASSWORD=FIXME_7e55mvycN4rHnvDZj5T5bt4FVev9vNpWEY57bVKKrWE2^@HOME=/srv/app^@LANG=C.UTF-8^@CKAN_SMTP_STARTTLS=True^@REDIS_VERSION=6^@CKAN_VERSION=2.10.0^@CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore^@TEST_CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore_test^@CKAN_MAX_UPLOAD_SIZE_MB=1000^@GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D^@TEST_CKAN_REDIS_URL=redis://redis:6379/1^@SOLR_IMAGE_VERSION=2.10-solr9^@CKAN_SMTP_MAIL_FROM=ckan@localhost^@DATASTORE_DB=datastore^@DATAPUSHER_VERSION=0.0.20^@CKAN__HARVEST__MQ__REDIS_DB=1^@NGINX_SSLPORT_HOST=8443^@CKAN_DB_USER=ckandbuser^@UWSGI_HARAKIRI=50^@TEST_CKAN_SOLR_URL=http://solr:8983/solr/ckan^@CKAN_SMTP_PASSWORD=pass^@CKAN_SITE_ID=default^@CKAN_SMTP_USER=user^@GIT_URL=https://github.com/ckan/ckan.git^@SHLVL=1^@CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:FIXME_cbaNVAkhyTdueY4ZfxkyrENZjX7hmg5C5CraZSkpuWPe@db/datastore^@POSTGRES_USER=postgres^@CKAN___BEAKER__SESSION__SECRET=FIXME_zadgDkZt7jsufuthnzjWyNf7cP2EDAWAVq2JinkRzLue^@APP_DIR=/srv/app^@CKAN_DB=ckandb^@CKAN__DATAPUSHER__CALLBACK_URL_BASE=http://ckan:5000^@CKAN_REDIS_URL=redis://redis:6379/1^@NGINX_PORT=80^@SRC_DIR=/srv/app/src^@TEST_CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore_test^@CKAN_REF=ckan-2.11.3^@CKAN__HARVEST__MQ__PORT=6379^@CKAN_INI=/srv/app/ckan.ini^@CKAN_DB_PASSWORD=FIXME_cbaNVAkhyTdueY4ZfxkyrENZjX7hmg5C5CraZSkpuWPe^@CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:FIXME_zadgDkZt7jsufuthnzjWyNf7cP2EDAWAVq2JinkRzLue^@SUPERVISOR_PROCESS_NAME=ckan-00^@LC_ALL=en_US.UTF-8^@PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@USE_HTTPS_FOR_DEV=false^@CKAN___API_TOKEN__JWT__DECODE__SECRET=string:FIXME_zadgDkZt7jsufuthnzjWyNf7cP2EDAWAVq2JinkRzLue^@POSTGRES_DB=postgres^@PIP_SRC=/srv/app/src^@SRC_EXTENSIONS_DIR=/srv/app/src_extensions^@CKAN_SYSADMIN_EMAIL=ckan+account@ole.mn^@SUP

All processes spawned by supervisord have the environment variables exposed in this fashion. None are erased by ckan.

@BSchilperoort

Copy link
Copy Markdown
Author

All processes spawned by supervisord have the environment variables exposed in this fashion. None are erased by ckan.

With some poking around I feel like putting the secrets in the ckan config file might be more secure.

Then the config can be mounted through docker's secrets system. The processes can then be spawned using the --config=/run/secrets/ckan_config_file cli option.

@BSchilperoort

Copy link
Copy Markdown
Author

With some poking around I feel like putting the secrets in the ckan config file might be more secure.

Won't be easy though; config is not fully or clearly documented on their docs, and we'd have to use the CLI to try figure out all settings;
https://docs.ckan.org/en/2.11/maintaining/cli.html#cli-ckan-config

@BSchilperoort BSchilperoort marked this pull request as ready for review September 11, 2025 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant