Giter Site home page Giter Site logo

Comments (3)

simonw avatar simonw commented on May 25, 2024

Current implementation bakes the secrets into the Dockerfile:

datasette-publish-fly/datasette_publish_fly/__init__.py

Lines 85 to 96 in a265963

if plugin_secret:
extra_metadata["plugins"] = {}
for plugin_name, plugin_setting, setting_value in plugin_secret:
environment_variable = (
"{}_{}".format(plugin_name, plugin_setting)
.upper()
.replace("-", "_")
)
environment_variables[environment_variable] = setting_value
extra_metadata["plugins"].setdefault(plugin_name, {})[
plugin_setting
] = {"$env": environment_variable}

Here's info on Fly secrets: https://fly.io/docs/reference/secrets/

Short version:

flyctl secrets set MY_SECRET=value -a name-of-app

You can set multiple secrets in a single call.

from datasette-publish-fly.

simonw avatar simonw commented on May 25, 2024

Problem: we can persist the environment variable secrets in between deployments, but we don't have a mechanism for persisting the metadata.json we have constructed, which needs to include this bit:

{
    "plugins": {
        "datasette-auth-passwords": {
            "root_password_hash": {
                "$env": "ROOT_PASSWORD_HASH"
            }
        }
    }
}

from datasette-publish-fly.

simonw avatar simonw commented on May 25, 2024

Once again I find myself wanting a reliable way to introspect the deployed application.

I discussed some options in #12 (comment)

  • Hit the /-/databases.json JSON API - problem here is that it might be protected by authentication or not yet available if the app hasn't been fully deployed
  • Stash a Fly secret with a list of database names, then read that again next time I deploy. This doesn't work because secret values aren't available to flyctl secrets list - you only get back the digest.
  • Stashing the list of databases in a tag or annotation - but it turns out Fly doesn't provide application or volume tags or annotations

Another option might be the fly ssh command - https://fly.io/docs/flyctl/ssh/ - but that's more designed for issuing SSH credentials and doesn't seem to have a neat equivalent of heroku run ... that could be easily scripted to run a command inside the application.

Two options then:

  1. Tell the user they have to call --plugin-secret on subsequent deploys
  2. Only allow deploys if the application itself can be reached via HTTP, and introspect it that way

I'm going to go with option 1 since it's simpler.

from datasette-publish-fly.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.