cli: support _FILE suffix on PARSEDMARC_* env vars for Docker secrets (#772)

Appending _FILE to any PARSEDMARC_{SECTION}_{KEY} env var reads the
value from the referenced file, with one trailing newline stripped.
This matches the Postgres/MariaDB/Redis container-image convention so
Docker Compose and Kubernetes secret mounts work without extra glue,
keeping credentials out of plain environment: blocks (and out of
docker inspect, container logs, and /proc/<pid>/environ).

When both the direct var and its _FILE companion are set, the file
wins. A missing or unreadable file raises ConfigurationError rather
than silently degrading to an empty credential. The four pre-existing
config keys whose own names end in _file ([general] log_file,
[msgraph] token_file, [gmail_api] credentials_file / token_file)
keep their direct-path semantics; pass their values via secret by
doubling the suffix (_FILE_FILE).
This commit is contained in:
Vincent
2026-05-21 03:11:44 +02:00
committed by GitHub
parent b7b8383fa4
commit 535d9db1ad
4 changed files with 362 additions and 21 deletions
+45
View File
@@ -613,6 +613,51 @@ services:
PARSEDMARC_GENERAL_SAVE_FORENSIC: "true"
```
### Docker secrets (`_FILE` suffix)
Any `PARSEDMARC_{SECTION}_{KEY}` environment variable can also be supplied
via a file by appending `_FILE` to its name. The file's contents (with any
trailing CR/LF characters stripped) are used as the value. This is the
same convention used by the official Postgres, MariaDB, and Redis container
images, and is designed to plug straight into Docker / Docker Compose /
Kubernetes secrets so credentials never appear in plain `environment:`
blocks (where they would be readable via `docker inspect`, container logs,
and `/proc/<pid>/environ`).
The bare `DEBUG` / `PARSEDMARC_DEBUG` aliases and `PARSEDMARC_CONFIG_FILE`
do not have a `_FILE` form; only `PARSEDMARC_{SECTION}_{KEY}` vars resolved
to a known config section are eligible.
If both the direct env var and the `_FILE` variant are set, the `_FILE`
variant wins. If the file does not exist or is unreadable, parsedmarc
exits with a configuration error rather than silently falling back to an
empty value.
```yaml
secrets:
imap_password:
file: ./secrets/imap_password.txt
services:
parsedmarc:
image: parsedmarc:latest
secrets:
- imap_password
environment:
PARSEDMARC_IMAP_HOST: imap.example.com
PARSEDMARC_IMAP_USER: dmarc@example.com
PARSEDMARC_IMAP_PASSWORD_FILE: /run/secrets/imap_password
```
Note that a small set of config keys whose own names already end in
`_file` (`[general] log_file`, `[msgraph] token_file`,
`[gmail_api] credentials_file`, `[gmail_api] token_file`) keep their
pre-existing meaning when set via `PARSEDMARC_..._FILE` — that env var is
the path itself, not a wrapper around a file containing the path. To pass
*those* paths via a Docker secret, double up the suffix
(`PARSEDMARC_GMAIL_API_CREDENTIALS_FILE_FILE`); the inner contents are
then read and stored as the `credentials_file` value.
### Section name mapping
For sections with underscores in the name, the full section name is used: