Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Env file always overridden by environment #40

Open
scalen opened this issue Apr 4, 2022 · 0 comments
Open

Env file always overridden by environment #40

scalen opened this issue Apr 4, 2022 · 0 comments

Comments

@scalen
Copy link

scalen commented Apr 4, 2022

Problem

In Kubernetes, sensitive values cannot be safely stored in the containers environment as this is exposed to any who can view a pod's spec: this is usually a broad selection of people. However, they can be safely stored in Secrets, which can be safely mounted to files in the container: Secrets are usually encrypted at rest, and can have much tighter restriction on who can read/write them without impairing the maintenance of the cluster.

Unfortunately, file contents are lower priority than environment variables in envparse, meaning that anyone with the ability to write environment variables to a pod can supersede more sensitive/controlled values that have been set in an env file sourced from a mounted Secret.

Proposal

We can add a flag to the read_envfile method that will switch the behaviour from setdefault to a straight assignment, allowing people to choose to prioritise environment variables or env file contents when there is a conflict.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scalen