[GH-ISSUE #677] [Feature Request] External secrets integration #3504

New Issue

Open

opened 2026-04-13 15:02:37 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-13 15:02:37 -05:00

Owner

Copy Link

Originally created by @Deester4x4jr on GitHub (Jul 22, 2025).
Original GitHub issue: https://github.com/moghtech/komodo/issues/677

Would love to see a way to integrate infiscial into the deployment process.

Originally posted by @ravensorb in #324

I would like to second this comment and officially request a method in Komodo to integrate secrets injection with external secrets management platforms. Whether self-hosted or cloud... I use doppler but I know a lot of people use Infisical. There are obviously many others out there. Would be really cool to have first class support for the most widely used, or maybe a framework for integrating the platform of your choice in a repeatable fashion. Currently, I am using pre/post deploy shell scripts to achieve the desired results, but there are certainly significant drawbacks to this method:

1. I have to copy that over to each stack I write. I'm guessing I can create a stack template to make this easier, but it still makes it difficult if I need to change that script... all previously created stacks would need to be manually updated.
2. The secrets are not really treated as secrets, so there is a high likelihood that they show up in logs, or worse case ( like what I am currently doing ) printed in the inspect tab because they are ultimately injected as env vars. Next step for my current flow is to inject them as docker secrets, but it would be cool if this was handled as part of an in-built framework for secrets injection.

Here is my current flow:

• Create a local .doppler.env file to be sent in with docker compose ( can pluck individual secrets this way, or just drop the query param and get all of the secrets this token has access to ):

#! /bin/sh
# PRE-DEPLOY Script

# Define secrets we want to get
set -- "SECRET_1" "SECRET_2"

# Join the secrets with commas and remove the trailing comma
SECRETS_PARAM=$(printf '%s,' "$@" | sed 's/\,$//')

# Download the secrets from Doppler
wget -qO- "[[DOPPLER_URL]]?format=docker&secrets=${SECRETS_PARAM}" \
    --header "accept: application/json" \
    --header "authorization: Bearer [[DOPPLER_TOKEN]]" > .doppler.env

• Remove the "ephemeral" .doppler.env file that was created

rm -rf .doppler.env

The goal here was to try and create something similar to how doppler ephemeral secrets injection works. This implementation is a bit hacky, but it gets the job done. Again, taking it a step further I should be creating docker secrets with these instead of injecting as env vars.

Ideally, an in-built framework would allow you to either:

• Modify the docker compose command to allow you to do things like wrap it: doppler run <args> -- ${DOCKER_COMPOSE_COMMAND_FROM_KOMODO}
  • or -
• Fetch secrets from an external secrets platform, choose which secrets to get, and automatically inject them as docker secrets for this execution of docker compose.

This is obviously very high level, and I am thinking of it pretty 1-dimensionally to solve my specific need. But it certainly feels like a useful feature that many people could take advantage of.

Hopefully, others agree with me. Either way, I can't thank you enough for building this in the first place. This is a breath of fresh air coming from portainer. Really appreciate the work you are doing.

-Josh

Originally created by @Deester4x4jr on GitHub (Jul 22, 2025). Original GitHub issue: https://github.com/moghtech/komodo/issues/677 > Would love to see a way to integrate infiscial into the deployment process. _Originally posted by @ravensorb in [#324](https://github.com/moghtech/komodo/issues/324#issuecomment-2867216098)_ I would like to second this comment and officially request a method in Komodo to integrate secrets injection with external secrets management platforms. Whether self-hosted or cloud... I use doppler but I know a lot of people use Infisical. There are obviously many others out there. Would be really cool to have first class support for the most widely used, or maybe a framework for integrating the platform of your choice in a repeatable fashion. Currently, I am using pre/post deploy shell scripts to achieve the desired results, but there are certainly significant drawbacks to this method: 1. I have to copy that over to each stack I write. I'm guessing I can create a stack template to make this easier, but it still makes it difficult if I need to change that script... all previously created stacks would need to be manually updated. 2. The secrets are not really treated as secrets, so there is a high likelihood that they show up in logs, or worse case ( like what I am currently doing ) printed in the inspect tab because they are ultimately injected as env vars. Next step for my current flow is to inject them as docker secrets, but it would be cool if this was handled as part of an in-built framework for secrets injection. Here is my current flow: - Create a local .doppler.env file to be sent in with docker compose ( can pluck individual secrets this way, or just drop the query param and get all of the secrets this token has access to ): ```shell #! /bin/sh # PRE-DEPLOY Script # Define secrets we want to get set -- "SECRET_1" "SECRET_2" # Join the secrets with commas and remove the trailing comma SECRETS_PARAM=$(printf '%s,' "$@" | sed 's/\,$//') # Download the secrets from Doppler wget -qO- "[[DOPPLER_URL]]?format=docker&secrets=${SECRETS_PARAM}" \ --header "accept: application/json" \ --header "authorization: Bearer [[DOPPLER_TOKEN]]" > .doppler.env ``` - Remove the "ephemeral" .doppler.env file that was created ```shell rm -rf .doppler.env ``` The goal here was to try and create something similar to how [doppler ephemeral secrets injection](https://docs.doppler.com/docs/accessing-secrets#mounting) works. This implementation is a bit hacky, but it gets the job done. Again, taking it a step further I should be creating docker secrets with these instead of injecting as env vars. Ideally, an in-built framework would allow you to either: - Modify the docker compose command to allow you to do things like wrap it: `doppler run <args> -- ${DOCKER_COMPOSE_COMMAND_FROM_KOMODO}` - or - - Fetch secrets from an external secrets platform, choose which secrets to get, and automatically inject them as docker secrets for this execution of docker compose. This is obviously very high level, and I am thinking of it pretty 1-dimensionally to solve my specific need. But it certainly feels like a useful feature that many people could take advantage of. Hopefully, others agree with me. Either way, I can't thank you enough for building this in the first place. This is a breath of fresh air coming from portainer. Really appreciate the work you are doing. -Josh

GiteaMirror added the enhancement label 2026-04-13 15:02:37 -05:00

GiteaMirror commented 2026-04-13 15:02:38 -05:00

Author

Owner

Copy Link

@mbecker20 commented on GitHub (Jul 22, 2025):

I have considered this as well

<!-- gh-comment-id:3104693183 --> @mbecker20 commented on GitHub (Jul 22, 2025): I have considered this as well

GiteaMirror commented 2026-04-13 15:02:39 -05:00

Author

Owner

Copy Link

@Deester4x4jr commented on GitHub (Jul 23, 2025):

Awesome to hear! Let me know if I can help in any way. Ive never done any Rust development, but the front-end stack seems to be things I am pretty comfortable with. Or if I can help by just testing things, i can do that too.

<!-- gh-comment-id:3105651066 --> @Deester4x4jr commented on GitHub (Jul 23, 2025): Awesome to hear! Let me know if I can help in any way. Ive never done any Rust development, but the front-end stack seems to be things I am pretty comfortable with. Or if I can help by just testing things, i can do that too.

GiteaMirror commented 2026-04-13 15:02:39 -05:00

Author

Owner

Copy Link

@adrianipopescu commented on GitHub (Aug 5, 2025):

it's interesting, infisical works pretty much the same way

<!-- gh-comment-id:3156866473 --> @adrianipopescu commented on GitHub (Aug 5, 2025): it's interesting, infisical works pretty much the same way

GiteaMirror commented 2026-04-13 15:02:39 -05:00

Author

Owner

Copy Link

@Deester4x4jr commented on GitHub (Jan 21, 2026):

@mbecker20 is this being worked on as part of V2 or is that wishful thinking?

<!-- gh-comment-id:3781451078 --> @Deester4x4jr commented on GitHub (Jan 21, 2026): @mbecker20 is this being worked on as part of V2 or is that wishful thinking?

GiteaMirror commented 2026-04-13 15:02:40 -05:00

Author

Owner

Copy Link

@adrianipopescu commented on GitHub (Jan 22, 2026):

@Deester4x4jr do note, you can always set up a pre-authenticated container to pull secrets, and inside the deployments pre and post actions you have access to the host's docker if you passed through your docker socket, so nothing's stopping you from doing a docker exec -i secrets_provider secprov dump format=env > .env and in post to chmod .env to 600

<!-- gh-comment-id:3782024795 --> @adrianipopescu commented on GitHub (Jan 22, 2026): @Deester4x4jr do note, you can always set up a pre-authenticated container to pull secrets, and inside the deployments pre and post actions you have access to the host's docker if you passed through your docker socket, so nothing's stopping you from doing a docker exec -i secrets_provider secprov dump format=env > .env and in post to chmod .env to 600

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gh-pages-docs

legacy-v1-frontend

copilot/secure-local-authentication

v0

legacy

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.0

v2.0.0-dev-124

v2.0.0-dev-123

v2.0.0-dev-120

v2.0.0-dev-118

v2.0.0-dev-114

v2.0.0-dev-112

v2.0.0-dev-111

v2.0.0-dev-102

v2.0.0-dev-98

v2.0.0-dev-90

v2.0.0-dev-86

v2.0.0-dev-72

v2.0.0-dev-59

v2.0.0-dev-53

v2.0.0-dev-50

v2.0.0-dev-36

v1.19.5

v2.0.0-dev-35

v1.19.4

v1.19.3

v1.19.2

v1.19.1

v1.19.1-dev-14

v1.19.0

v1.19.0-dev-9

v1.18.4

1.18.5-dev-5

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.5

v1.17.4

v1.17.3

v1.17.4-dev-1

v1.17.2

v1.17.2-dev-1

v1.17.1

v1.17.0

v1.17.0-dev-7

v1.17.0-dev-4

v1.17.0-dev-3

v1.17.0-dev-5

v1.17.0-dev-6

v1.17.0-dev-2

v1.17.0-dev-1

v1.16.12

v1.16.11

v1.16.10

v1.16.9

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.12

v1.15.11

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.14.0-rc1

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.3

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.2.0

v1.1.0

v1.0.0

v0.3.4

v0.3.3

v0.3.2

v0.3.0

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.1

v0.2.0

v0.1.17

v0.1.16

v0.1.15

v0.1.11

v0.1.10

v0.1.9

Labels

Clear labels

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

2.0.0

bug

documentation

done

enhancement

help wanted

info

pull-request

Mirrored from GitHub Pull Request

question

security

seen 👀

setup

thinking 🤔

ui

v2

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/komodo#3504