refactor(server): load secrets from file instead of env var #972
Conversation
Security recommendations for Kubernetes are to mount secrets from file instead of env vars. Env vars are available to all users of a container, often get leaked in log output etc.. If file does not exist, secrets are loaded from env var for backward compatibility. fix #897
| } | ||
|
|
||
| function getSecret(secretName: string): string { | ||
| const secretPath = join('/etc/secrets', secretName) |
There was a problem hiding this comment.
(How?) Will this work on local development environments? Also I'm wondering if this shouldn't be an infra only solution (e.g. some cloud feature that stores some env vars separately, but when they reach the app theyre just env vars), not something that changes how our app reads environment config values? Just considering that this seems like a security feature only relevant for the prod env
There was a problem hiding this comment.
Thanks for challenging this, it led to a better solution.
To summarise what we discussed for future reference; the file won't exist on a dev environment, so this will fallback to using environment variables. It is backwards-compatible with our current dev & test setups.
On production the files would exist, so we wouldn't need the secrets in environment variables (secrets in env vars are relatively insecure).
|
Obsolete. Still worth doing at some point, but doesn't have priority |
Description & motivation
Security recommendations for Kubernetes are to mount secrets from file instead of env vars. Env
vars are available to all users of a container, often get leaked in log output etc.. If file does
not exist, secrets are loaded from env var for backward compatibility.
fix #897
Changes:
To-do before merge:
Screenshots:
Validation of changes:
Checklist:
References