Question about configuring FleetDM for Docker, specifically using Docker Swarm. The documentation for configuring the binary states

mysql_password

accepts a string but is it possible to provide a path to a file that contains the password, say to a Docker secret:

/run/secrets/fleetdm-mysql-password

? I assume the answer is it’s not supported currently but I wanted to ask.

Is it possible to get the secret into env vars? This is how secrets are handled by most systems I've deployed on.

I was hoping to avoid storing secrets in environment variables because it’s not best practice from a security standpoint

When we built Fleet we were trying to model after 12factor (https://12factor.net/config). If there's updated guidance on best practices I am open.

This blog post suggests that the recommendations by 12factor for storing secrets in env vars is not best practice from a security standpoint. One potential solution I am thinking of is when generating the MySQL connection string check if the value in

conf.Password

is a valid file on disk, if so read the contents, if not treat it as is. Thoughts on this approach?