Modern web application read their config from env variables.
it would be a really nice to have :)
This would be useful for passwords etc. For other config there is some "danger" that config is not the same on all servers which causes Piwik to not work properly etc but for passwords it would be useful for sure
Yes 12 factor support (environment var injection) for all the variables that happen at config would be really useful. That would allow us to run dev/staging piwik containers on the same hosts pointing to separate DBs etc.
env variables are great, but it is discouraged to use them for secrets: https://github.com/docker/docker/pull/9176#issuecomment-99542089
Secrets are not a clear definition, because the domain of trust needs to be known. Often secrets contained to the environment is good enough so trying to protect processes from each other is overkill. Other times not leaking to the underlying system is critical. The solution and the controls it offers needs to be assessed with the risk and against relevant attack trees.
So for example using something like credstash in the container runtime to inject sensitive vars is good enough for many use cases as it is separating the management of the app from the management of the environment it is running in.
This would specifically be useful for deploying Piwik on cloud-based platforms with ephemeral filesystems that don't persist file changes across deploys / restarts, such as Cloud Foundry or Heroku.
Any advance regarding this?