From 09e6460f956d13cebb3e73e961db32ebb83a6ce1 Mon Sep 17 00:00:00 2001 From: Lukas Bachschwell Date: Tue, 1 Mar 2022 16:09:33 +0100 Subject: [PATCH] Allow loading sensitive flags from files (#815) With systems like docker swarm or docker compose it is usually a little awkward to manage secrets. There is no way to directly inject them into the environment config. So you often have to write your secrets directly into the compose file There are hacky workarounds such as overriding the entry-point of the container and loading a script which then fetches secrets from /run/secrets and replaces the environment variables, but this becomes very difficult once we are using docker images built from "scratch" (which is a really great practice otherwise) as there is no shell or standard tooling available This adds a *_FILE variant of their Environment config values to work around this issue. Signed-off-by: Lukas Bachschwell --- cmd/agent/flags.go | 8 +- cmd/server/flags.go | 145 ++++++++++-------- .../30-administration/10-server-config.md | 48 ++++++ .../30-administration/11-vcs/20-github.md | 10 ++ .../docs/30-administration/11-vcs/30-gitea.md | 10 ++ .../30-administration/11-vcs/40-gitlab.md | 10 ++ .../30-administration/11-vcs/50-bitbucket.md | 10 ++ .../11-vcs/60-bitbucket_server.md | 15 ++ docs/docs/30-administration/11-vcs/70-gogs.md | 10 ++ .../30-administration/11-vcs/80-coding.md | 20 +++ .../docs/30-administration/15-agent-config.md | 5 + 11 files changed, 226 insertions(+), 65 deletions(-) diff --git a/cmd/agent/flags.go b/cmd/agent/flags.go index fbf691b7d..8b9cf6c2d 100644 --- a/cmd/agent/flags.go +++ b/cmd/agent/flags.go @@ -15,6 +15,7 @@ package main import ( + "os" "time" "github.com/urfave/cli/v2" @@ -34,9 +35,10 @@ var flags = []cli.Flag{ Value: "x-oauth-basic", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_AGENT_SECRET"}, - Name: "grpc-password", - Usage: "server-agent shared password", + EnvVars: []string{"WOODPECKER_AGENT_SECRET"}, + Name: "grpc-password", + Usage: "server-agent shared password", + FilePath: os.Getenv("WOODPECKER_AGENT_SECRET_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_GRPC_SECURE"}, diff --git a/cmd/server/flags.go b/cmd/server/flags.go index 78597e1d7..7a89ce703 100644 --- a/cmd/server/flags.go +++ b/cmd/server/flags.go @@ -15,6 +15,7 @@ package main import ( + "os" "time" "github.com/urfave/cli/v2" @@ -137,9 +138,10 @@ var flags = []cli.Flag{ Name: "network", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_AGENT_SECRET"}, - Name: "agent-secret", - Usage: "server-agent shared password", + EnvVars: []string{"WOODPECKER_AGENT_SECRET"}, + Name: "agent-secret", + Usage: "server-agent shared password", + FilePath: os.Getenv("WOODPECKER_AGENT_SECRET_FILE"), }, &cli.DurationFlag{ EnvVars: []string{"WOODPECKER_KEEPALIVE_MIN_TIME"}, @@ -178,16 +180,18 @@ var flags = []cli.Flag{ Value: "sqlite3", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_DATABASE_DATASOURCE"}, - Name: "datasource", - Usage: "database driver configuration string", - Value: "woodpecker.sqlite", + EnvVars: []string{"WOODPECKER_DATABASE_DATASOURCE"}, + Name: "datasource", + Usage: "database driver configuration string", + Value: "woodpecker.sqlite", + FilePath: os.Getenv("WOODPECKER_DATABASE_DATASOURCE_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_PROMETHEUS_AUTH_TOKEN"}, - Name: "prometheus-auth-token", - Usage: "token to secure prometheus metrics endpoint", - Value: "", + EnvVars: []string{"WOODPECKER_PROMETHEUS_AUTH_TOKEN"}, + Name: "prometheus-auth-token", + Usage: "token to secure prometheus metrics endpoint", + Value: "", + FilePath: os.Getenv("WOODPECKER_PROMETHEUS_AUTH_TOKEN_FILE"), }, &cli.StringFlag{ EnvVars: []string{"WOODPECKER_STATUS_CONTEXT", "WOODPECKER_GITHUB_CONTEXT", "WOODPECKER_GITEA_CONTEXT"}, @@ -243,14 +247,16 @@ var flags = []cli.Flag{ Value: "https://github.com", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITHUB_CLIENT"}, - Name: "github-client", - Usage: "github oauth2 client id", + EnvVars: []string{"WOODPECKER_GITHUB_CLIENT"}, + Name: "github-client", + Usage: "github oauth2 client id", + FilePath: os.Getenv("WOODPECKER_GITHUB_CLIENT_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITHUB_SECRET"}, - Name: "github-secret", - Usage: "github oauth2 client secret", + EnvVars: []string{"WOODPECKER_GITHUB_SECRET"}, + Name: "github-secret", + Usage: "github oauth2 client secret", + FilePath: os.Getenv("WOODPECKER_GITHUB_SECRET_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_GITHUB_MERGE_REF"}, @@ -278,14 +284,16 @@ var flags = []cli.Flag{ Value: "https://github.com", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GOGS_GIT_USERNAME"}, - Name: "gogs-git-username", - Usage: "gogs service account username", + EnvVars: []string{"WOODPECKER_GOGS_GIT_USERNAME"}, + Name: "gogs-git-username", + Usage: "gogs service account username", + FilePath: os.Getenv("WOODPECKER_GOGS_GIT_USERNAME_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GOGS_GIT_PASSWORD"}, - Name: "gogs-git-password", - Usage: "gogs service account password", + EnvVars: []string{"WOODPECKER_GOGS_GIT_PASSWORD"}, + Name: "gogs-git-password", + Usage: "gogs service account password", + FilePath: os.Getenv("WOODPECKER_GOGS_GIT_PASSWORD_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_GOGS_PRIVATE_MODE"}, @@ -312,14 +320,16 @@ var flags = []cli.Flag{ Value: "https://try.gitea.io", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITEA_CLIENT"}, - Name: "gitea-client", - Usage: "gitea oauth2 client id", + EnvVars: []string{"WOODPECKER_GITEA_CLIENT"}, + Name: "gitea-client", + Usage: "gitea oauth2 client id", + FilePath: os.Getenv("WOODPECKER_GITEA_CLIENT_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITEA_SECRET"}, - Name: "gitea-secret", - Usage: "gitea oauth2 client secret", + EnvVars: []string{"WOODPECKER_GITEA_SECRET"}, + Name: "gitea-secret", + Usage: "gitea oauth2 client secret", + FilePath: os.Getenv("WOODPECKER_GITEA_SECRET_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_GITEA_SKIP_VERIFY"}, @@ -335,14 +345,16 @@ var flags = []cli.Flag{ Usage: "bitbucket driver is enabled", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_BITBUCKET_CLIENT"}, - Name: "bitbucket-client", - Usage: "bitbucket oauth2 client id", + EnvVars: []string{"WOODPECKER_BITBUCKET_CLIENT"}, + Name: "bitbucket-client", + Usage: "bitbucket oauth2 client id", + FilePath: os.Getenv("WOODPECKER_BITBUCKET_CLIENT_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_BITBUCKET_SECRET"}, - Name: "bitbucket-secret", - Usage: "bitbucket oauth2 client secret", + EnvVars: []string{"WOODPECKER_BITBUCKET_SECRET"}, + Name: "bitbucket-secret", + Usage: "bitbucket oauth2 client secret", + FilePath: os.Getenv("WOODPECKER_BITBUCKET_SECRET_FILE"), }, // // Gitlab @@ -359,14 +371,16 @@ var flags = []cli.Flag{ Value: "https://gitlab.com", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITLAB_CLIENT"}, - Name: "gitlab-client", - Usage: "gitlab oauth2 client id", + EnvVars: []string{"WOODPECKER_GITLAB_CLIENT"}, + Name: "gitlab-client", + Usage: "gitlab oauth2 client id", + FilePath: os.Getenv("WOODPECKER_GITLAB_CLIENT_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_GITLAB_SECRET"}, - Name: "gitlab-secret", - Usage: "gitlab oauth2 client secret", + EnvVars: []string{"WOODPECKER_GITLAB_SECRET"}, + Name: "gitlab-secret", + Usage: "gitlab oauth2 client secret", + FilePath: os.Getenv("WOODPECKER_GITLAB_SECRET_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_GITLAB_SKIP_VERIFY"}, @@ -387,9 +401,10 @@ var flags = []cli.Flag{ Usage: "stash server address", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_STASH_CONSUMER_KEY"}, - Name: "stash-consumer-key", - Usage: "stash oauth1 consumer key", + EnvVars: []string{"WOODPECKER_STASH_CONSUMER_KEY"}, + Name: "stash-consumer-key", + Usage: "stash oauth1 consumer key", + FilePath: os.Getenv("WOODPECKER_STASH_CONSUMER_KEY_FILE"), }, &cli.StringFlag{ EnvVars: []string{"WOODPECKER_STASH_CONSUMER_RSA"}, @@ -402,14 +417,16 @@ var flags = []cli.Flag{ Usage: "stash oauth1 private key string", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_STASH_GIT_USERNAME"}, - Name: "stash-git-username", - Usage: "stash service account username", + EnvVars: []string{"WOODPECKER_STASH_GIT_USERNAME"}, + Name: "stash-git-username", + Usage: "stash service account username", + FilePath: os.Getenv("WOODPECKER_STASH_GIT_USERNAME_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_STASH_GIT_PASSWORD"}, - Name: "stash-git-password", - Usage: "stash service account password", + EnvVars: []string{"WOODPECKER_STASH_GIT_PASSWORD"}, + Name: "stash-git-password", + Usage: "stash service account password", + FilePath: os.Getenv("WOODPECKER_STASH_GIT_PASSWORD_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_STASH_SKIP_VERIFY"}, @@ -431,14 +448,16 @@ var flags = []cli.Flag{ Value: "https://coding.net", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_CODING_CLIENT"}, - Name: "coding-client", - Usage: "coding oauth2 client id", + EnvVars: []string{"WOODPECKER_CODING_CLIENT"}, + Name: "coding-client", + Usage: "coding oauth2 client id", + FilePath: os.Getenv("WOODPECKER_CODING_CLIENT_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_CODING_SECRET"}, - Name: "coding-secret", - Usage: "coding oauth2 client secret", + EnvVars: []string{"WOODPECKER_CODING_SECRET"}, + Name: "coding-secret", + Usage: "coding oauth2 client secret", + FilePath: os.Getenv("WOODPECKER_CODING_SECRET_FILE"), }, &cli.StringSliceFlag{ EnvVars: []string{"WOODPECKER_CODING_SCOPE"}, @@ -457,14 +476,16 @@ var flags = []cli.Flag{ Value: "git.coding.net", }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_CODING_GIT_USERNAME"}, - Name: "coding-git-username", - Usage: "coding machine user username", + EnvVars: []string{"WOODPECKER_CODING_GIT_USERNAME"}, + Name: "coding-git-username", + Usage: "coding machine user username", + FilePath: os.Getenv("WOODPECKER_CODING_GIT_USERNAME_FILE"), }, &cli.StringFlag{ - EnvVars: []string{"WOODPECKER_CODING_GIT_PASSWORD"}, - Name: "coding-git-password", - Usage: "coding machine user password", + EnvVars: []string{"WOODPECKER_CODING_GIT_PASSWORD"}, + Name: "coding-git-password", + Usage: "coding machine user password", + FilePath: os.Getenv("WOODPECKER_CODING_GIT_PASSWORD_FILE"), }, &cli.BoolFlag{ EnvVars: []string{"WOODPECKER_CODING_SKIP_VERIFY"}, diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md index 88ec50357..7f0289af7 100644 --- a/docs/docs/30-administration/10-server-config.md +++ b/docs/docs/30-administration/10-server-config.md @@ -72,6 +72,39 @@ services: + - WOODPECKER_DOCKER_CONFIG=/home/user/.docker/config.json ``` +## Handling sensitive data in docker-compose and docker-swarm + +To handle sensitive data in docker-compose or docker-swarm configurations there are several options: + +For docker-compose you can use a .env file next to your compose condfiguration to store the secrets outside of the compose file. While this seperates configuration from secrets it is still not very secure. + +Alternatively use docker-secrets. As it may be difficult to use docker secrets for environment variables woodpecker allows to read sensible data from files by profiding a `*_FILE` option of all sensible configuration variables. Woodpecker will try to read the value directly from this file. Keep in mind that when the original environment varibale gets specified at the same time it will override the value read from the file. + +```diff +# docker-compose.yml +version: '3' + +services: + woodpecker-server: + [...] + environment: + - [...] ++ - WOODPECKER_AGENT_SECRET_FILE=/run/secrets/woodpecker-agent-secret ++ secrets: ++ - woodpecker-agent-secret ++ ++secrets: ++ woodpecker-agent-secret: ++ external: true +``` + +Store a value to a docker secret like this: +`echo "my_agent_secret_key" | docker secret create woodpecker-agent-secret -` + +or generate a random one like this: + +`openssl rand -hex 32 | docker secret create woodpecker-agent-secret -` + ## All server configuration options The following list describes all available server configuration options. @@ -214,6 +247,11 @@ Example: `WOODPECKER_NETWORK=network1,network2` A shared secret used by server and agents to authenticate communication. A secret can be generated by `openssl rand -hex 32`. +### `WOODPECKER_AGENT_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_AGENT_SECRET` from the specified filepath + ### `WOODPECKER_KEEPALIVE_MIN_TIME` > Default: empty @@ -242,11 +280,21 @@ WOODPECKER_DATABASE_DATASOURCE=root:password@tcp(1.2.3.4:3306)/woodpecker?parseT WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/woodpecker?sslmode=disable ``` +### `WOODPECKER_DATABASE_DATASOURCE_FILE` +> Default: empty + +Read the value for `WOODPECKER_DATABASE_DATASOURCE` from the specified filepath + ### `WOODPECKER_PROMETHEUS_AUTH_TOKEN` > Default: empty Token to secure the Prometheus metrics endpoint. +### `WOODPECKER_PROMETHEUS_AUTH_TOKEN_FILE` +> Default: empty + +Read the value for `WOODPECKER_PROMETHEUS_AUTH_TOKEN` from the specified filepath + ### `WOODPECKER_STATUS_CONTEXT` > Default: `ci/woodpecker` diff --git a/docs/docs/30-administration/11-vcs/20-github.md b/docs/docs/30-administration/11-vcs/20-github.md index 6f8d41e2e..c6b599e8c 100644 --- a/docs/docs/30-administration/11-vcs/20-github.md +++ b/docs/docs/30-administration/11-vcs/20-github.md @@ -46,11 +46,21 @@ Configures the GitHub server address. Configures the GitHub OAuth client id. This is used to authorize access. +### `WOODPECKER_GITHUB_CLIENT_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITHUB_CLIENT` from the specified filepath + ### `WOODPECKER_GITHUB_SECRET` > Default: empty Configures the GitHub OAuth client secret. This is used to authorize access. +### `WOODPECKER_GITHUB_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITHUB_SECRET` from the specified filepath + ### `WOODPECKER_GITHUB_MERGE_REF` > Default: `true` diff --git a/docs/docs/30-administration/11-vcs/30-gitea.md b/docs/docs/30-administration/11-vcs/30-gitea.md index 7c34b0994..c5c90d8c9 100644 --- a/docs/docs/30-administration/11-vcs/30-gitea.md +++ b/docs/docs/30-administration/11-vcs/30-gitea.md @@ -54,11 +54,21 @@ Configures the Gitea server address. Configures the Gitea OAuth client id. This is used to authorize access. +### `WOODPECKER_GITEA_CLIENT_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITEA_CLIENT` from the specified filepath + ### `WOODPECKER_GITEA_SECRET` > Default: empty Configures the Gitea OAuth client secret. This is used to authorize access. +### `WOODPECKER_GITEA_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITEA_SECRET` from the specified filepath + ### `WOODPECKER_GITEA_SKIP_VERIFY` > Default: `false` diff --git a/docs/docs/30-administration/11-vcs/40-gitlab.md b/docs/docs/30-administration/11-vcs/40-gitlab.md index 14a5d01cc..46b40a0f1 100644 --- a/docs/docs/30-administration/11-vcs/40-gitlab.md +++ b/docs/docs/30-administration/11-vcs/40-gitlab.md @@ -46,11 +46,21 @@ Configures the GitLab server address. Configures the GitLab OAuth client id. This is used to authorize access. +### `WOODPECKER_GITLAB_CLIENT_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITLAB_CLIENT` from the specified filepath + ### `WOODPECKER_GITLAB_SECRET` > Default: empty Configures the GitLab OAuth client secret. This is used to authorize access. +### `WOODPECKER_GITLAB_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_GITLAB_SECRET` from the specified filepath + ### `WOODPECKER_GITLAB_SKIP_VERIFY` > Default: `false` diff --git a/docs/docs/30-administration/11-vcs/50-bitbucket.md b/docs/docs/30-administration/11-vcs/50-bitbucket.md index 5065e2e31..909da4d69 100644 --- a/docs/docs/30-administration/11-vcs/50-bitbucket.md +++ b/docs/docs/30-administration/11-vcs/50-bitbucket.md @@ -53,11 +53,21 @@ Enables the Bitbucket driver. Configures the Bitbucket OAuth client id. This is used to authorize access. +### `WOODPECKER_BITBUCKET_CLIENT_FILE` +> Default: empty + +Read the value for `WOODPECKER_BITBUCKET_CLIENT` from the specified filepath + ### `WOODPECKER_BITBUCKET_SECRET` > Default: empty Configures the Bitbucket OAuth client secret. This is used to authorize access. +### `WOODPECKER_BITBUCKET_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_BITBUCKET_SECRET` from the specified filepath + ## Missing Features Merge requests are not currently supported. We are interested in patches to include this functionality. diff --git a/docs/docs/30-administration/11-vcs/60-bitbucket_server.md b/docs/docs/30-administration/11-vcs/60-bitbucket_server.md index 58b24307e..79ddcf22d 100644 --- a/docs/docs/30-administration/11-vcs/60-bitbucket_server.md +++ b/docs/docs/30-administration/11-vcs/60-bitbucket_server.md @@ -115,6 +115,11 @@ Configures the Bitbucket Server address. Configures your Bitbucket Server consumer key. +### `WOODPECKER_STASH_CONSUMER_KEY_FILE` +> Default: empty + +Read the value for `WOODPECKER_STASH_CONSUMER_KEY` from the specified filepath + ### `WOODPECKER_STASH_CONSUMER_RSA` > Default: empty @@ -130,11 +135,21 @@ Configures your Bitbucket Server private key. This username is used to authenticate and clone all private repositories. +### `WOODPECKER_STASH_GIT_USERNAME_FILE` +> Default: empty + +Read the value for `WOODPECKER_STASH_GIT_USERNAME` from the specified filepath + ### `WOODPECKER_STASH_GIT_PASSWORD` > Default: empty The password is used to authenticate and clone all private repositories. +### `WOODPECKER_STASH_GIT_PASSWORD_FILE` +> Default: empty + +Read the value for `WOODPECKER_STASH_GIT_PASSWORD` from the specified filepath + ### `WOODPECKER_STASH_SKIP_VERIFY` > Default: `false` diff --git a/docs/docs/30-administration/11-vcs/70-gogs.md b/docs/docs/30-administration/11-vcs/70-gogs.md index a165bea6d..26c6dbdc2 100644 --- a/docs/docs/30-administration/11-vcs/70-gogs.md +++ b/docs/docs/30-administration/11-vcs/70-gogs.md @@ -19,11 +19,21 @@ Configures the Gogs server address. This username is used to authenticate and clone all private repositories. +### `WOODPECKER_GOGS_GIT_USERNAME_FILE` +> Default: empty + +Read the value for `WOODPECKER_GOGS_GIT_USERNAME` from the specified filepath + ### `WOODPECKER_GOGS_GIT_PASSWORD` > Default: empty The password is used to authenticate and clone all private repositories. +### `WOODPECKER_GOGS_GIT_PASSWORD_FILE` +> Default: empty + +Read the value for `WOODPECKER_GOGS_GIT_PASSWORD` from the specified filepath + ### `WOODPECKER_GOGS_PRIVATE_MODE` > Default: `false` diff --git a/docs/docs/30-administration/11-vcs/80-coding.md b/docs/docs/30-administration/11-vcs/80-coding.md index 751c09020..d7f3ed738 100644 --- a/docs/docs/30-administration/11-vcs/80-coding.md +++ b/docs/docs/30-administration/11-vcs/80-coding.md @@ -19,11 +19,21 @@ Configures the Coding server address. Configures the Coding OAuth client id. This is used to authorize access. +### `WOODPECKER_CODING_CLIENT_FILE` +> Default: empty + +Read the value for `WOODPECKER_CODING_CLIENT` from the specified filepath + ### `WOODPECKER_CODING_SECRET` > Default: empty Configures the Coding OAuth client secret. This is used to authorize access. +### `WOODPECKER_CODING_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_CODING_SECRET` from the specified filepath + ### `WOODPECKER_CODING_SCOPE` > Default: `user, project, project:depot` @@ -39,11 +49,21 @@ TODO This username is used to authenticate and clone all private repositories. +### `WOODPECKER_CODING_GIT_USERNAME_FILE` +> Default: empty + +Read the value for `WOODPECKER_CODING_GIT_USERNAME` from the specified filepath + ### `WOODPECKER_CODING_GIT_PASSWORD` > Default: empty The password is used to authenticate and clone all private repositories. +### `WOODPECKER_CODING_GIT_PASSWORD_FILE` +> Default: empty + +Read the value for `WOODPECKER_CODING_GIT_PASSWORD` from the specified filepath + ### `WOODPECKER_CODING_SKIP_VERIFY` > Default: `false` diff --git a/docs/docs/30-administration/15-agent-config.md b/docs/docs/30-administration/15-agent-config.md index 3cc83ed77..ef11bc5ec 100644 --- a/docs/docs/30-administration/15-agent-config.md +++ b/docs/docs/30-administration/15-agent-config.md @@ -95,6 +95,11 @@ The gRPC username. A shared secret used by server and agents to authenticate communication. A secret can be generated by `openssl rand -hex 32`. +### `WOODPECKER_AGENT_SECRET_FILE` +> Default: empty + +Read the value for `WOODPECKER_AGENT_SECRET` from the specified filepath + ### `WOODPECKER_LOG_LEVEL` > Default: empty