Comments (3)
I'm closing this because it can implemented externally to the core project: Write some software which reads the Kubernetes secret volume format and loads it environment variables or a JSON file which can be understood by node-config.
It's not reasonable for a tiny team to support in-core all the different possible secret storage solutions.
from node-config.
Understood. I think you've missed the point of loading from volumes versus environment variables though? It's a security issue not a convenience thing. It would need to be built in to have better security.
For those looking to keep secrets out of their environment variables you could have a wrapper script write your secrets to a node-config compatible file format and source that. It's an extra step but will achieve the same thing.
All you need is a vulnerability in one package that can enumerate process.env
and your secrets go public. That's why people keep secrets out of the env. Provided links in original issue elaborate on this further from a k8s perspective.
Thanks for the work your small team does.
from node-config.
All you need is a vulnerability in one package that can enumerate process.env and your secrets go public. That's why people keep secrets out of the env. Provided links in original issue elaborate on this further from a k8s perspective.
... or all you need is a vulnerability in one package that can read the volume that stores the secrets in the k8s format. How is that more secure? If there is an insecure dependency, it has access to whatever the process has access to, whether it's a filesystem path or process.env
.
This area was discussed in 2015 #190 where we considered deleting process env values after we loaded them... but it turns out the values are persisted under /proc
, so that doesn't add much value.
In #602 there was discussion of adding support for marking values as sensitive so that we dumped out the config file values, those values would be masked in some contexts.
from node-config.
Related Issues (20)
- custom-environment-variables.json says variable is not defined. HOT 1
- [BUG] Cypress component testing fails with error `<CONFIG_VARIABLE> is not defined`
- Deal With Async Properties in DeferConfig HOT 1
- [BUG] Documentation is missing HOT 4
- [BUG] custom-environment-variables file does not support cjs extension HOT 2
- [BUG] Extra quotes on config file broke app HOT 5
- Cannot use defer with esbuild (fix: export defer from config) HOT 1
- Unable to use
- [BUG] Configuration files with different extensions and APP_INSTANCE not loaded in the right order HOT 2
- [BUG] Javascript getters calling during config initialization
- [BUG] Empty key in YAML sets value to null HOT 2
- [BUG] Environment variable substitution fails silently if "__format" parser is not supported HOT 1
- Project breaks after updating ts version (using .cjs config files)
- v3.3.10 is a breaking change for webpack, which does not install json5 dep HOT 18
- Disable some "defaults", like local.{ext} loading HOT 3
- [BUG] node-config package.json has not all the parsers available installed as production dependencies HOT 6
- [BUG] YAML binary type is mangled
- [BUG] Encoungering an unexpected ENOTDIR while trying to open non-existing runtime.json
- [BUG] DeprecationWarnings in node v22 DEP0055 DEP0047 DEP0044
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-config.