Replies: 5 comments 3 replies
-
|
I use the Docker Secrets implementation. Just add the This is what I do for all my containers that require a password/key/token. |
Beta Was this translation helpful? Give feedback.
-
|
Good solution for container that support the _FILE suffix... But not a global solution. |
Beta Was this translation helpful? Give feedback.
-
|
I have a similar issue and would like to find a good solution. |
Beta Was this translation helpful? Give feedback.
-
|
I'm interested in this also. I'm attempting full infrastructure as code, and am hoping to use SOPS or a similar setup so I can maintain cross-container credentials more easily. My understanding is that this needs some way to run a hook after checkout/pull for gitsync projects. I believe there used to be hooks for this but they were removed for security reasons? |
Beta Was this translation helpful? Give feedback.
-
|
@kmendell can I request a bit of your attention here? This is something I'd love to help solve if you desire help. I am a software dev by trade... not go-native, but technically capable. I'd be likely contributing with a lot of claude code assistance. From spending a bit of time today looking at the code and checking for other existing solutions in the space, here's some ideas that cover combinations of #1707 / #2249 / #2301. They both fix the exact use-case here (handling secrets)... but might be complementary solutions too.
A typed SecretsBackend.Decrypt(src) → map[string]string interface in core. The first implementation would be SOPS (age keys) specifically (this is my own use case). Effectively:
Repo config is data interpreted through a typed schema instead of a command surface to avoid untrusted input or executables that the container hooks struggled with. This would address this issue fully, and part of of #2249, much of #2301 (perhaps).
Per-project preDeployCommand (argv form), optionally in .arcane/lifecycle.yaml (again, same question about arcane specific files...) in the synced project directory. Repo-sourced commands are hashed on sync and deploy refuses to run until an admin approves the change. Per-environment auto-approve toggle exists, off by default and logged on change, but user could be turned on for gitops sources selectively (e.g., when sync is coming from a trusted repository always). The specific approval design avoids the issues from #1468. It does mean a bit more complexity in the UI state for containers (can be blocked waiting approval, need to consider how webhook-pushes interact, etc.) Can be leveraged to implement sops decryption, but also closes the broader #2249 including non-secrets cases (Swarm mkdir/chmod, migrations, registrations). Do you have any thoughts on either or both of these approaches? I'm happy to contribute one or more PRs in this direction if you are interested. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I recently migrated from Portainer to Arcane, and I have to say the tool is really great 👍
I’ve even connected agents on my other servers, which gives me a single, unified interface across all my infrastructure.
Now I’m starting to think about secrets management.
So far, I’m still using .env files, but that means secrets are stored in clear text, which is not ideal.
Before going further, I’d like to understand what the recommended best practices with Arcane are regarding secrets:
Is there a native way to manage secrets securely in Arcane?
Is it expected to rely on external tools (e.g. Docker secrets, SOPS, Vault, etc.)?
Are there any plans or guidelines documented somewhere for secret management?
In short: what is the “Arcane way” to avoid keeping secrets in plain text .env files?
Thanks in advance for your guidance, and congrats again on the project 🚀
Beta Was this translation helpful? Give feedback.
All reactions