(10-27-2020, 05:55 AM)richb201 Wrote: In config/database.php my userid and password for mySQL is visable, unencryted. I have some other things that I use in my app that are secrets such as my AWS userids. I need to secure these and since I am using Docker I am investigating using Docker Secrets. But how can I modify the $db array prior to bringing up my system with the userid and password kept in Docker Secrets. I am not sure yet but I presume that there is an api call I will make to get the secret. But where do I place that in the CI application?
Haven't looked into Docker Secrets, but I run multiple CI projects in FARGATE and ECS and this is how I do it;
In the Config/Database.php I use the constructor to gather stuff from the running environment. My configuration is a mix of stuff from AWS CloudFormation inserted as ENV in the Docker tasks (database and redis host etc).
Static, secret stuff (username, API keys and passwords) I put in the .env file when building the Docker image and uploading to the private ECR.
PHP Code:
public function __construct()
{
parent::__construct();
// Ensure that we always set the database group to 'tests' if
// we are currently running an automated test suite, so that
// we don't overwrite live data on accident.
if (ENVIRONMENT === 'testing')
{
$this->defaultGroup = 'tests';
// Under Travis-CI, we can set an ENV var named 'DB_GROUP'
// so that we can test against multiple databases.
if ($group = getenv('DB'))
{
if (is_file(TESTPATH . 'travis/Database.php')) {
require TESTPATH . 'travis/Database.php';
if ( ! empty($dbconfig) && array_key_exists($group, $dbconfig)) {
$this->tests = $dbconfig[$group];
}
}
}
} else {
$this->default['hostname'] = getenv('CONFIG_RDS_RW');
$this->default['password'] = getenv('CONFIG_RDS_PASSWORD');
$this->default['username'] = getenv('CONFIG_RDS_USERNAME');
$this->default['database'] = getenv('CONFIG_RDS_DATABASE');
}
}