add support for docker secrets (#8409)

* add support for docker secrets * check for directory first
2024-11-21 19:07:46 +01:00 · 2023-11-02 10:35:30 +00:00 · 2023-11-02 10:35:30 +00:00 · 0dd3dd23aa
commit 0dd3dd23aa
parent 4bd29b2ee8
5 changed files with 26 additions and 4 deletions
--- a/docker/main/rootfs/usr/local/go2rtc/create_config.py
+++ b/docker/main/rootfs/usr/local/go2rtc/create_config.py
@ -3,6 +3,7 @@
 import json
 import os
 import sys
+from pathlib import Path

 import yaml

@ -16,6 +17,14 @@ sys.path.remove("/opt/frigate")


 FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
+# read docker secret files as env vars too
+if os.path.isdir("/run/secrets"):
+    for secret_file in os.listdir("/run/secrets"):
+        if secret_file.startswith("FRIGATE_"):
+            FRIGATE_ENV_VARS[secret_file] = Path(
+                os.path.join("/run/secrets", secret_file)
+            ).read_text()
+
 config_file = os.environ.get("CONFIG_FILE", "/config/config.yml")

 # Check if we can use .yaml instead of .yml
--- a/docs/docs/configuration/index.md
+++ b/docs/docs/configuration/index.md
@ -75,11 +75,11 @@ mqtt:
  # NOTE: must be unique if you are running multiple instances
  client_id: frigate
  # Optional: user
-  # NOTE: MQTT user can be specified with an environment variables that must begin with 'FRIGATE_'.
+  # NOTE: MQTT user can be specified with an environment variables or docker secrets that must begin with 'FRIGATE_'.
  #       e.g. user: '{FRIGATE_MQTT_USER}'
  user: mqtt_user
  # Optional: password
-  # NOTE: MQTT password can be specified with an environment variables that must begin with 'FRIGATE_'.
+  # NOTE: MQTT password can be specified with an environment variables or docker secrets that must begin with 'FRIGATE_'.
  #       e.g. password: '{FRIGATE_MQTT_PASSWORD}'
  password: password
  # Optional: tls_ca_certs for enabling TLS using self-signed certs (default: None)
@ -491,7 +491,7 @@ cameras:
      # Required: A list of input streams for the camera. See documentation for more information.
      inputs:
        # Required: the path to the stream
-        # NOTE: path may include environment variables, which must begin with 'FRIGATE_' and be referenced in {}
+        # NOTE: path may include environment variables or docker secrets, which must begin with 'FRIGATE_' and be referenced in {}
        - path: rtsp://viewer:{FRIGATE_RTSP_PASSWORD}@10.0.10.10:554/cam/realmonitor?channel=1&subtype=2
          # Required: list of roles for this stream. valid values are: audio,detect,record,rtmp
          # NOTICE: In addition to assigning the audio, record, and rtmp roles,
--- a/docs/docs/integrations/plus.md
+++ b/docs/docs/integrations/plus.md
@ -19,7 +19,7 @@ Once logged in, you can generate an API key for Frigate in Settings.

 ### Set your API key

-In Frigate, you can set the `PLUS_API_KEY` environment variable to enable the `SEND TO FRIGATE+` buttons on the events page. You can set it in your Docker Compose file or in your Docker run command. Home Assistant Addon users can set it under Settings > Addons > Frigate NVR > Configuration > Options (be sure to toggle the "Show unused optional configuration options" switch).
+In Frigate, you can use an environment variable or a docker secret named `PLUS_API_KEY` to enable the `SEND TO FRIGATE+` buttons on the events page. Home Assistant Addon users can set it under Settings > Addons > Frigate NVR > Configuration > Options (be sure to toggle the "Show unused optional configuration options" switch).

 :::caution

--- a/frigate/config.py
+++ b/frigate/config.py
@ -5,6 +5,7 @@ import json
 import logging
 import os
 from enum import Enum
+from pathlib import Path
 from typing import Dict, List, Optional, Tuple, Union

 import matplotlib.pyplot as plt
@ -47,6 +48,13 @@ DEFAULT_TIME_FORMAT = "%m/%d/%Y %H:%M:%S"
 # DEFAULT_TIME_FORMAT = "%d.%m.%Y %H:%M:%S"

 FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
+# read docker secret files as env vars too
+if os.path.isdir("/run/secrets"):
+    for secret_file in os.listdir("/run/secrets"):
+        if secret_file.startswith("FRIGATE_"):
+            FRIGATE_ENV_VARS[secret_file] = Path(
+                os.path.join("/run/secrets", secret_file)
+            ).read_text()

 DEFAULT_TRACKED_OBJECTS = ["person"]
 DEFAULT_LISTEN_AUDIO = ["bark", "fire_alarm", "scream", "speech", "yell"]
--- a/frigate/plus.py
+++ b/frigate/plus.py
@ -3,6 +3,7 @@ import json
 import logging
 import os
 import re
+from pathlib import Path
 from typing import Any, List

 import cv2
@ -36,6 +37,10 @@ class PlusApi:
        self.key = None
        if PLUS_ENV_VAR in os.environ:
            self.key = os.environ.get(PLUS_ENV_VAR)
+        elif os.path.isdir("/run/secrets") and PLUS_ENV_VAR in os.listdir(
+            "/run/secrets"
+        ):
+            self.key = Path(os.path.join("/run/secrets", PLUS_ENV_VAR)).read_text()
        # check for the addon options file
        elif os.path.isfile("/data/options.json"):
            with open("/data/options.json") as f: