Kibana: [docker] support _FILE environment variable

Created on 25 Jun 2019  路  9Comments  路  Source: elastic/kibana

Transferring from https://github.com/elastic/kibana-docker/issues/139

We are trying to run Kibana in DDC (sigh) and the _secrets_ are mounted as files, and thus the "secret" has to be read from /run/secrets/secret-name. The "workaround" for this issue in DDC is to create a wrapper script that reads the secret and puts the value into the correct env variable.

I propose that the "helper" script could look for SOME_VAR_FILE, and if it finds that (and its a file thats readable), put the contents of the file into SOME_VAR.

The places I see this being most useful is "ELASTICSEARCH_PASSWORD" and maybe "SERVER_SSL_KEYPASSPHRASE" as the other places I would use a "secret" are already looking for a file.

Suggestions?

~tommy

Configuration Operations

Most helpful comment

I am afraid the Secure Settings would have the same "issue" that environment variables have. I would need to be able to automatically run the command (cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin). I do like the idea of using the keystore over environment variables, but the problem of getting the value from the "file" where DDC provides the secret value into the keystore is still there. We will be moving away from DDC (docker datacenter / docker swarm) this year, and will have a whole new way to provide secrets. We have added a helper script to cat the values into the appropriate environment variables for now.

All 9 comments

Pinging @elastic/kibana-operations

@TJM, can you confirm if the Secure Settings keystore would work for you?

I am afraid the Secure Settings would have the same "issue" that environment variables have. I would need to be able to automatically run the command (cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin). I do like the idea of using the keystore over environment variables, but the problem of getting the value from the "file" where DDC provides the secret value into the keystore is still there. We will be moving away from DDC (docker datacenter / docker swarm) this year, and will have a whole new way to provide secrets. We have added a helper script to cat the values into the appropriate environment variables for now.

@jbudz or @spalger - are you aware of any precedence for this in Elasticsearch?

I don't think I've seen a {var}_FILE pattern before, I think a wrapper script is the right solution unless the community speaks up and expresses a wider need for this.

Does no one else use secrets to provide passwords? Or does no one else use Docker Datacenter swam anymore? Docker Secrets are provided as a filename, similar to mounting the secret in K8s. Perhaps, if the "password" starts with a "/" check to see if its a readable file, and if so, read its contents in and replace the variable? I just thought that using ELASTICSEARCH_PASSWORD_FILE would be more supportable?

Yeah, I understand the concept behind the request I just can't recall hearing the request from anyone else, or seeing a similar feature implemented in other products, and would prefer to not modify the way that configuration is loaded unless it's really necessary. It's a very core, old and important system that needs to be as easy to understand and maintain as possible.

It also sounds like you've been able to accomplish your needs with a simple helper script so it doesn't sound like you really _need_ this implemented. Is that right?

I was honestly hoping that other people would jump on board (me too's). I really dislike having to modify the docker image. Lots of overhead just to get a secret into a variable :) (silly docker enterprise)

I agree with @TJM aswell on this as well. ElasticSearch already supports this ElasticSearch Secrets.

Was this page helpful?
0 / 5 - 0 ratings