Skip to content

Add option to set enroll key via file for Docker swarm secrets #3939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option to set enroll key via file for Docker swarm secrets #3939

wants to merge 1 commit into from

Conversation

@sebastianhaas
Copy link

When using Docker in swarm mode, the use of environmental variables for secrets is discouraged. Instead, swarm secrets are the way how sensitive data is managed: https://docs.docker.com/engine/swarm/secrets/

With swarm secrets, it is by design impossible to mount them as environment variables. Swarm secrets will be mounted as a file, containing the secret's value. To tackle this issue, it is common practice to add another configuration option for Docker images as environment variable, ususally called VAR_NAME_FILE for a environment variable VAR_NAME, that will instead point to a file containing the sensitive configuration value.
A popular example of this would be https://hub.docker.com/_/postgres#docker-secrets.

This pull requests adds a new environment variable ENROLL_KEY_FILE in addition to the already existing ENROLL_KEY, allowing to pass an enroll key in swarm setup using swarm secrets.

I am aware, that the crowdsec image does already support swarm secrets for bouncer API keys, however, I feel like the mechanics differ from what is preferable for the enroll key.

@github-actions
Copy link

github-actions bot commented Oct 1, 2025

@sebastianhaas: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind fix
  • /kind chore
  • /kind dependencies
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions
Copy link

github-actions bot commented Oct 1, 2025

@sebastianhaas: There are no area labels on this PR. You can add as many areas as you see fit.

  • /area agent
  • /area local-api
  • /area cscli
  • /area appsec
  • /area security
  • /area configuration
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/configuration kind/enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sebastianhaas