[PR #799] [MERGED] feat: support reading secret env vars from _FILE #619

New Issue

Closed

opened 2025-10-09 16:53:53 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-09 16:53:53 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/799
Author: @ItalyPaleAle
Created: 7/30/2025
Status: ✅ Merged
Merged: 7/30/2025
Merged by: @kmendell

Base: main ← Head: secret-files

---

📝 Commits (6)

• e820431 feat: support reading secret env vars from _FILE
• 5efa7c1 Merge branch 'main' into secret-files
• c5e22aa trim white space from env files
• d12c1a0 make helper for parsing strings or file based env variables
• bae3e5e only trim the endings of strings, new lines, returns, and spaces
• d5ba5e7 Do not trim spaces for the encryption key

📊 Changes

4 files changed (+103 additions, -47 deletions)

View changed files

📝 backend/internal/common/env_config.go (+82 -25)
📝 backend/internal/model/app_config.go (+2 -2)
📝 backend/internal/service/app_config_service.go (+16 -5)
📝 backend/internal/utils/jwk/utils.go (+3 -15)

📄 Description

Fixes #685

Env vars that contain secret values now can be read from file. To do that, pass the env var *_FILE containing the path to a file on disk. This works with Docker (and K8s) secrets too, since they are mounted as files.

These env vars are currently supported:

• EnvConfig:
  • DB_CONNECTION_STRING_FILE
  • MAXMIND_LICENSE_KEY_FILE
  • Additionally, ENCRYPTION_KEY_FILE was already available
• AppConfig (when UI configuration is disabled): all values that have the sensitive tag in the struct, which currently includes:
  • SMTP_PASSWORD_FILE
  • LDAP_BIND_PASSWORD_FILE

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/799 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 7/30/2025 **Status:** ✅ Merged **Merged:** 7/30/2025 **Merged by:** [@kmendell](https://github.com/kmendell) **Base:** `main` ← **Head:** `secret-files` --- ### 📝 Commits (6) - [`e820431`](https://github.com/pocket-id/pocket-id/commit/e820431609ff3a7b2aef45c5fb91262c81367fe4) feat: support reading secret env vars from _FILE - [`5efa7c1`](https://github.com/pocket-id/pocket-id/commit/5efa7c17dd6b3de0463fadb6e114735fa4a0862d) Merge branch 'main' into secret-files - [`c5e22aa`](https://github.com/pocket-id/pocket-id/commit/c5e22aabaf165abdad9dc854f02368cdd213dfa5) trim white space from env files - [`d12c1a0`](https://github.com/pocket-id/pocket-id/commit/d12c1a0dc386f70c582821968ec0ed554bad0aa1) make helper for parsing strings or file based env variables - [`bae3e5e`](https://github.com/pocket-id/pocket-id/commit/bae3e5e63b40563a543d449bae9fc4acf5f3467f) only trim the endings of strings, new lines, returns, and spaces - [`d5ba5e7`](https://github.com/pocket-id/pocket-id/commit/d5ba5e7fbd373dcfaa8648b8f2b7337ad6edd85d) Do not trim spaces for the encryption key ### 📊 Changes **4 files changed** (+103 additions, -47 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/common/env_config.go` (+82 -25) 📝 `backend/internal/model/app_config.go` (+2 -2) 📝 `backend/internal/service/app_config_service.go` (+16 -5) 📝 `backend/internal/utils/jwk/utils.go` (+3 -15) </details> ### 📄 Description Fixes #685 Env vars that contain secret values now can be read from file. To do that, pass the env var `*_FILE` containing the path to a file on disk. This works with Docker (and K8s) secrets too, since they are mounted as files. These env vars are currently supported: - EnvConfig: - `DB_CONNECTION_STRING_FILE` - `MAXMIND_LICENSE_KEY_FILE` - Additionally, `ENCRYPTION_KEY_FILE` was already available - AppConfig (when UI configuration is disabled): all values that have the `sensitive` tag in the struct, which currently includes: - `SMTP_PASSWORD_FILE` - `LDAP_BIND_PASSWORD_FILE` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2025-10-09 16:53:53 +03:00

OVERLORD closed this issue 2025-10-09 16:53:54 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#619