Title
#fleet
CptOfEvilMinions

CptOfEvilMinions

12/15/2020, 5:49 PM
Question about configuring FleetDM for Docker, specifically using Docker Swarm. The documentation for configuring the binary states
mysql_password
accepts a string but is it possible to provide a path to a file that contains the password, say to a Docker secret:
/run/secrets/fleetdm-mysql-password
? I assume the answer is it’s not supported currently but I wanted to ask.
zwass

zwass

12/15/2020, 6:06 PM
Is it possible to get the secret into env vars? This is how secrets are handled by most systems I've deployed on.
CptOfEvilMinions

CptOfEvilMinions

12/15/2020, 6:35 PM
I was hoping to avoid storing secrets in environment variables because it’s not best practice from a security standpoint
zwass

zwass

12/15/2020, 6:55 PM
When we built Fleet we were trying to model after 12factor (https://12factor.net/config). If there's updated guidance on best practices I am open.
CptOfEvilMinions

CptOfEvilMinions

12/15/2020, 7:10 PM
This blog post suggests that the recommendations by 12factor for storing secrets in env vars is not best practice from a security standpoint. One potential solution I am thinking of is when generating the MySQL connection string check if the value in
conf.Password
is a valid file on disk, if so read the contents, if not treat it as is. Thoughts on this approach?