Pass supervisord config through secrets#2
Conversation
|
Note that the processes do have all the environment variables still, including secrets. You need to run a bash terminal inside the container, and do, e.g.
e.g.; cmd outputAll processes spawned by supervisord have the environment variables exposed in this fashion. None are erased by ckan. |
With some poking around I feel like putting the secrets in the ckan config file might be more secure. Then the config can be mounted through docker's secrets system. The processes can then be spawned using the |
Won't be easy though; config is not fully or clearly documented on their docs, and we'd have to use the CLI to try figure out all settings; |
secrets are still in
.env.devfile andsupervisord.conf. However, these are only passed through the file system upon container launch.The
ckan-docker-dbimage will still have the secrets inside its env, however I'm not sure if there's a way around this. The specific secrets are listed in thedocker-compose.dev.ymlfile (underenvironment:).The other containers (solr, datapushed, redis) don't contain any secrets.