feat: add secrets by miekg · Pull Request #385 · psviderski/uncloud · GitHub
Skip to content

feat: add secrets#385

Open
miekg wants to merge 7 commits into
psviderski:mainfrom
miekg:miek/26/jun02di/secrets1
Open

feat: add secrets#385
miekg wants to merge 7 commits into
psviderski:mainfrom
miekg:miek/26/jun02di/secrets1

Conversation

@miekg

@miekg miekg commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This adds (limited) support for secrets. In the end we want to support the new 'secrets engine' from docker, but this still requires secrets to be put in a container.

This piggybacks on configs as much as possible to make the PR as small as possible.

We use /run/secrets to store them this is a tmpfs so nothing lands on disk.
If a container path is used, we symlink that to /run/secrets, so only a symlink lands on disk, not the secret it self.

When storing the container in corrosion we use base64 encryption, see the TODO there to do proper encrytion.

Update the compatiblity matrix to say we have limited support for secrets.

See: #75 and possibly #76

Note for #76, we will def. want to use the secrets engine of docker: https://github.com/docker/secrets-engine

miekg added 7 commits June 3, 2026 07:27
This adds (limited) support for secrets. In the end we wont to support
the new 'secrets engine' from docker, but this still requires secrets to
be put in a container.

This piggybacks on configs as much as possible to make the PR as small
as possible.

We use /run/secrets to store them this is a tmpfs so nothing lands on
disk.
If a container path is used, we symlink that to /run/secrets, so only a
symlink lands on disk, not the secret it self.

When storing the container in corrosion we use base64 encryption, see
the TODO there to do proper encrytion.

Update the compatiblity matrix to say we have limited support for
secrets.

See: psviderski#75 and possibly psviderski#76

Note for psviderski#76, we will def. want to use the secrets engine of docker:
https://github.com/docker/secrets-engine

Signed-off-by: Miek Gieben <miek@miek.nl>

b64 encode secrets before storing

Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
it also prefixes /run/secrets, no need to do it here

Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
@joeblew999

Copy link
Copy Markdown

@miekg

miekg commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants