Kibana: [docker] support _FILE environment variable
Transferring from https://github.com/elastic/kibana-docker/issues/139
We are trying to run Kibana in DDC (sigh) and the _secrets_ are mounted as files, and thus the "secret" has to be read from
/run/secrets/secret-name. The "workaround" for this issue in DDC is to create a wrapper script that reads the secret and puts the value into the correct env variable.I propose that the "helper" script could look for SOME_VAR_FILE, and if it finds that (and its a file thats readable), put the contents of the file into SOME_VAR.
The places I see this being most useful is "ELASTICSEARCH_PASSWORD" and maybe "SERVER_SSL_KEYPASSPHRASE" as the other places I would use a "secret" are already looking for a file.
Suggestions?
~tommy
jbudz
All 9 comments
Pinging @elastic/kibana-operations
elasticmachine
on 25 Jun 2019
@TJM, can you confirm if the Secure Settings keystore would work for you?
tylersmalley
on 18 Mar 2020
I am afraid the Secure Settings would have the same "issue" that environment variables have. I would need to be able to automatically run the command (cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin). I do like the idea of using the keystore over environment variables, but the problem of getting the value from the "file" where DDC provides the secret value into the keystore is still there. We will be moving away from DDC (docker datacenter / docker swarm) this year, and will have a whole new way to provide secrets. We have added a helper script to cat the values into the appropriate environment variables for now.
TJM
on 19 Mar 2020
@jbudz or @spalger - are you aware of any precedence for this in Elasticsearch?
tylersmalley
on 27 Mar 2020
I don't think I've seen a {var}_FILE pattern before, I think a wrapper script is the right solution unless the community speaks up and expresses a wider need for this.
spalger
on 27 Mar 2020
Does no one else use secrets to provide passwords? Or does no one else use Docker Datacenter swam anymore? Docker Secrets are provided as a filename, similar to mounting the secret in K8s. Perhaps, if the "password" starts with a "/" check to see if its a readable file, and if so, read its contents in and replace the variable? I just thought that using ELASTICSEARCH_PASSWORD_FILE would be more supportable?
TJM
on 27 Mar 2020
Yeah, I understand the concept behind the request I just can't recall hearing the request from anyone else, or seeing a similar feature implemented in other products, and would prefer to not modify the way that configuration is loaded unless it's really necessary. It's a very core, old and important system that needs to be as easy to understand and maintain as possible.
It also sounds like you've been able to accomplish your needs with a simple helper script so it doesn't sound like you really _need_ this implemented. Is that right?
spalger
on 27 Mar 2020
I was honestly hoping that other people would jump on board (me too's). I really dislike having to modify the docker image. Lots of overhead just to get a secret into a variable :) (silly docker enterprise)
TJM
on 27 Mar 2020
I agree with @TJM aswell on this as well. ElasticSearch already supports this ElasticSearch Secrets.
RasmusGodske
on 22 Jun 2020
Related issues
Ginja
路
3Comments
bradvido
路
3Comments
stacey-gammon
路
3Comments
spalger
路
3Comments
socialmineruser1
路
3Comments
Most helpful comment
I am afraid the Secure Settings would have the same "issue" that environment variables have. I would need to be able to automatically run the command (
cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin). I do like the idea of using the keystore over environment variables, but the problem of getting the value from the "file" where DDC provides the secret value into the keystore is still there. We will be moving away from DDC (docker datacenter / docker swarm) this year, and will have a whole new way to provide secrets. We have added a helper script to cat the values into the appropriate environment variables for now.