mcrio / configuration.provider.docker.secrets Goto Github PK

View Code? Open in Web Editor NEW

30.0 4.0 1.0 13 KB

.NET Core configuration provider for Docker Secrets.

License: MIT License

C# 100.00%

docker-secrets dotnet-core dotnetcore docker dotnet asp-net-core file-secrets

configuration.provider.docker.secrets's Introduction

.NET Core Configuration provider for Docker Secrets

Ability to map docker secrets files to .net core configuration.

This package allows reading docker secrets files and pull them into the .net core configuration. Docker by default mounts secrets as files at the /run/secrets directory. The secrets file names are used to identify the configuration targets.

About Docker Secrets

Docker secrets are part of the Docker swarm services. They are used to manage sensitive data which a container needs at runtime but which should not be stored in the container image or source control. Read more about docker secrets on the official docker documentation pages.

Getting Started

Using the NuGet package manager install the Mcrio.Configuration.Provider.Docker.Secrets package, or add the following line to the .csproj file:

<ItemGroup>
    <PackageReference Include="Mcrio.Configuration.Provider.Docker.Secrets">
        <Version>1.0.0</Version>
    </PackageReference>
</ItemGroup>

Note: Replace version value with the latest version available.

Usage

By default all files within the directory /run/secrets are scanned and processed as configuration. .NET Core configuration uses : as the section delimiter. As : cannot be used in file names, use __ in place where : is needed.

AddDockerSecrets() allows overriding of the default values for the secrets directory path and the colon placeholder.

Often we want to process just specific secrets files. By setting allowed prefixes we can narrow down which files will be processed.

Simple usage

var configuration = new ConfigurationBuilder()
                        .AddDockerSecrets()
                        .Build();
var secretValue = configuration["mysecret"];

ASP.NET Core

// Program.cs
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                .ConfigureAppConfiguration(configBuilder =>
                {
                    configBuilder.AddDockerSecrets();

                    // allow command line arguments to override docker secrets
                    if (args != null)
                    {
                        configBuilder.AddCommandLine(args);
                    }
                })
                .UseStartup<Startup>();

Only process files that start with a predefined prefix

configBuilder.AddDockerSecrets(
    allowedPrefixes: new List<string> 
    { 
        "ConfigSection1__", 
        "Foo__Bar__Baz" 
    }
);

Specify environment variable name that holds comma delimited list of allowed prefixes

setenv MY_SECRETS_PREFIXES "ConfigSection1__,Foo__Bar__Baz"

configBuilder.AddDockerSecrets("MY_SECRETS_PREFIXES");

Docker compose example

# docker compose compatible file
services:
    myservice:
      environment:
        - MY_SECRETS_PREFIXES=ConfigSection1__,Foo__Bar__Baz
    secrets:
      - source: myservice_foobarbaz_dbpass
        target: Foo__Bar__Baz__DbPassword

secrets:
    myservice_foobarbaz_dbpass:
        external: true
        name: myservice_foobarbaz_dbpass_2019_12_30_1

// Program.cs
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                .ConfigureAppConfiguration(configBuilder =>
                {
                    configBuilder.AddDockerSecrets(
                        allowedPrefixesEnvVariableName: "MY_SECRETS_PREFIXES"
                    );

                    // allow command line arguments to override docker secrets
                    if (args != null)
                    {
                        configBuilder.AddCommandLine(args);
                    }
                })
                .UseStartup<Startup>();

Release History

1.0.1
- Stable version that reads secret values from mounted files and pulls those into the configuration. Optionally filters the files to process by defined allowed prefixes.

Do you like this library?

addr1q87dhpq4wkm5gucymxkwcatu2et5enl9z8dal4c0fj98fxznraxyxtx5lf597gunnxn3tewwr6x2y588ttdkdlgaz79spp3avz

0xae0B28c1fCb707e1908706aAd65156b61aC6Ff0A

bc1q3s8qjx59f4wu7tvz7qj9qx8w6ktcje5ktseq68

https://palebluedotpool.org

configuration.provider.docker.secrets's People

Contributors

Stargazers

Watchers

Forkers

spaytac

configuration.provider.docker.secrets's Issues

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/run/secrets/chargeampguard__uri' is denied

Hi I'm trying to use your nuget, but I get a UnauthorizedAccessException when I start my container.
I'm using normal docker (No swarm or kubernetes).

version: "3.8"

secrets:
  chargeampguard__uri:
    file: ./guard-relay/secrets/chargeampguard_uri.secret
  chargeampguard__pin:
    file: ./guard-relay/secrets/chargeampguard_pin.secret

services:
  guard-relay:
    container_name: guard-relay
    image: "ghcr.io/anderssonpeter/guardrelay:${GUARDRELAY_VERSION}"
    environment:
      - Application__Application=/config/GuardRelay.sqlite
      - MQTT__Connection__Server=mosquitto
    secrets:
      - chargeampguard__uri
      - chargeampguard__pin
    volumes:
      - ./guard-relay/config:/config

Exception:

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/run/secrets/chargeampguard__uri' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.File.OpenRead(String path)
   at System.IO.Abstractions.FileWrapper.OpenRead(String path)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationProvider.ProcessFile(String secretFilePath)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source)
   at Microsoft.Extensions.Configuration.ConfigurationManager.ConfigurationSources.Add(IConfigurationSource source)
   at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationExtension.AddDockerSecrets(IConfigurationBuilder configurationBuilder, String secretsDirectoryPath, String colonPlaceholder, ICollection`1 allowedPrefixes)
   at Program.<Main>$(String[] args) in /src/GuardRelay/Program.cs:line 16
   at Program.<Main>(String[] args)

Do you have any idea why?

[Question] - Mounted kubernetes secrets volume

Hello,

Do you know if this library would also handle a mounted volume containing Key Vault secret files, based on the setup for kubernets described here:

https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

I am guessing that it should as its just a set of files? Would be interested to know if anyone has tried this.

[Question] - Does this load secrets within windows containers

Readme explains by default this library will load secrets from the linux mount location: /run/secrets
However when running under windows contaienrs, the mount path is C:\ProgramData\Docker\secrets - does this library detect the correct default location based on the platform (windows vs linux)?