Enchancement: Support for Docker Secrets

Question

Enchancement: Support for Docker Secrets

anandslab opened this issue 4 years ago · comments

I moved my CF token to docker secrets from .env. But cf-companion does not appear to work with secrets.

Dave Conroy · Answer 1 · Thu Aug 13 2020 01:01:19 GMT+0800 (China Standard Time)

I have functionality baked into my base images to support docker secrets, just not in this image. It is coming in a future release. Still a few weeks off unfortunately.

Dave Conroy · Answer 2 · Sat Aug 22 2020 00:31:55 GMT+0800 (China Standard Time)

I have a beta version of upcoming release available
docker pull tiredofit/traefik-cloudflare-companion:develop

It supports Docker Secrets. There are also two modes for API access.

With Scoped Mode - you need to set the following environment variable.

API_MODE=SCOPED

The Docker Secret or environment variable for this mode is
CF_API_TOKEN=(yourscopedtoken)

With the current functioning mode GLOBAL API you will need to:

API_MODE=GLOBAL

and the original environment variables/secrets of:
CF_EMAIL=yourcloudflareemail@example.com
CF_TOKEN=yourglobalapi

If I could have this tested that would be wonderful and I'll clean this up further and focus on the other remaining enhancements:

      - Support global or scoped API mode (API_MODE=GLOBAL/SCOPED) (inital credit: blinkiz@github)
      - Support Refreshing Entries (inital credit: dchidell@github)
      - Support Docker Swarm Mode
      - Support Docker Secrets

Dave Conroy · Answer 3 · Tue Aug 25 2020 02:36:58 GMT+0800 (China Standard Time)

The following above is useful for tiredofit/traefik-cloudflare-companion:5.0 which I pushed today which I am finding the secrets support questionable.

Instead I just rewrote the whole thing in pure python tagging as tiredofit/traefik-cloudflare-companion:6.0
For this version, You just need to set CF_EMAIL=None and don't worry about the API_MODE env var, it's been removed. See README.

Robert Baker · Answer 4 · Wed Aug 26 2020 19:57:11 GMT+0800 (China Standard Time)

I tried using a scoped token that can edit all dns zones. getting auth errors. Secret was loaded into container at /run/secrets/mysecret

Tuumke · Answer 5 · Sat Dec 05 2020 18:02:57 GMT+0800 (China Standard Time)

Have same issues..

Whenever i try to use secrets, they just dont work for whatever reason.
Below works:

    environment:
      - TIMEZONE=$TZ
      - TRAEFIK_VERSION=2
      - CF_EMAIL=
      - CF_TOKEN=Alkjasdflkj243k76j1#&JLKJa0-24
      - TARGET_DOMAIN=dockers.$DOMAINNAME
      - DOMAIN1=$DOMAINNAME
      - DOMAIN1_ZONE_ID=10654065403241036406504
      - DOMAIN1_PROXIED=TRUE
      - DOCKER_HOST=tcp://socket-proxy:2375

This doesnt work:

secrets:
  cloudflare_email:
    file: $SECRETSDIR/cloudflare_email
  cloudflare_api_token:
    file: $SECRETSDIR/cloudflare_api_token
  cloudflare_zoneid:
    file: $SECRETSDIR/cloudflare_zoneid
-----
    environment:
      - TIMEZONE=$TZ
      - TRAEFIK_VERSION=2
      - CF_API_TOKEN=/run/secrets/cloudflare_api_token # Scoped api token
      - CF_EMAIL=
      - TARGET_DOMAIN=dockers.$DOMAINNAME
      - DOMAIN1=$DOMAINNAME
      - DOMAIN1_ZONE_ID=/run/secrets/cloudflare_zoneid # Copy from Cloudflare Overview page
      - DOMAIN1_PROXIED=TRUE
      - DOCKER_HOST=tcp://socket-proxy:2375
    secrets: 
      - cloudflare_email
      - cloudflare_api_token
      - cloudflare_zoneid

@tiredofit please reopen or give a prober explenation on the secrets usage?