Secrets and deployments for unique locations

Hey all,

So I am using balena for distributed software and I’m wondering if any of you other users are using this for a similar situation.

So each location that the docker container will be deployed to will need to have some type of a unique password per deployment for things such as a database login. Do I need to have a totally unique fleet per location? and then use the ENV vars for the passwords at the balena level rather than the environment vars at the docker-compose level? Obviously I dont want the latter and hard code passwords in the compose file but even still if I did that, all the locations in my fleet will share that one password.

I am having a hard time wrapping my mind around one docker-compose file going to hundreds of locations that all need unique passwords.

Also, it appears that secrets are only supported through cloud :frowning:. Anybody have any other solution for trying to manage secure passwords through openBalena?

You can set environment variables per device using the --device flag, overriding anything set at the fleet level: balena CLI Documentation - Balena Documentation

Thanks for the response! But there’s one issue I see with doing this and that’s the fact that balena does not support variable substitution so I cannot device a POSTGRES_PASSWORD to the postgres image from an environment variable as the value for the POSTGRES_PASSWORD will just be ${MY_PASSWORD} and not that actual value.

version: "2.1"
services:
  database-service:
    build: ./database
    container_name: database-service
    restart: always
    networks: 
      - internal
    ports: 
      - 5433:5432
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      # RIGHT HERE is the issue as the actual password for the database when I deploy will be 
      # ${DBPASS} and not the actual env var.
      POSTGRES_PASSWORD: ${DBPASS}

Hi @jordan-lumley, I think I just replied to you on another thread but what you can do is edit the script that starts your container image and make the assignment there. The database service must have a bash entrypoint/start script, you can do export POSTGRES_PASSWORD=$DBPASS in there and that should do it.

However if you are using postgres’ official image and I’m reading this correctly (postgres/docker-entrypoint.sh at e4942cb0f79b61024963dc0ac196375b26fa60dd · docker-library/postgres · GitHub) you don’t even need to do that. You can directly set POSTGRES_PASSWORD using balenaCloud dashboard, the cli or an API script and the postgres entrypoint script will pick it up automatically.