Skip to content

Commit dce0153

Browse files
committed
more tidy up and added docs for secret management
1 parent a73cd38 commit dce0153

3 files changed

Lines changed: 69 additions & 9 deletions

File tree

README.md

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -212,14 +212,10 @@ See docs/CONFIGURATION.md for the full list of environment variables and configu
212212

213213
### Database
214214

215-
The gateway uses a SQLite database to store users, API tokens, and audit logs:
215+
The gateway uses Postgres to store users, API tokens, and audit logs. Set a connection URL via `DATABASE_URL` (or equivalent `PG*` vars):
216216

217217
```bash
218-
# Default location
219-
Postgres is required; no SQLite support.
220-
221-
# Override with environment variable
222-
DATABASE_URL=postgres://user:pass@host:5432/db?sslmode=require
218+
DATABASE_URL=postgres://user:pass@host:5432/dbname?sslmode=require
223219
```
224220

225221
The database is automatically initialized on first run with an admin user from the first Google OAuth login.
@@ -395,7 +391,7 @@ For issues or questions:
395391

396392
### Retention and scheduled cleanup
397393

398-
Audit events are stored in SQLite for the UI and also emitted to stdout in structured JSON for CloudWatch. To keep the local DB small:
394+
Audit events are stored in Postgres and also emitted to stdout in structured JSON for CloudWatch. To keep the DB lean:
399395

400396
- Environment-based cleanup at boot: set `AUDIT_LOG_RETENTION_DAYS` to purge old rows during startup.
401397
- Scheduled cleanup command (for Convox timers):

docs/CONFIGURATION.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,9 +54,8 @@ If you’re deploying to production, read this alongside [DEPLOY.md](DEPLOY.md).
5454

5555
## Database and Auditing
5656

57-
Postgres is required; set `DATABASE_URL` or `PG*` variables.
57+
Postgres is required; set `DATABASE_URL` (or `PG*` variables like `PGHOST`, `PGPORT`, `PGUSER`, `PGPASSWORD`, `PGDATABASE`).
5858

59-
- SQLite database path for users, tokens, and audit logs.
6059
- `AUDIT_LOG_RETENTION_DAYS` (optional)
6160
- If set, the server purges audit rows older than N days at startup.
6261
- Also used by the `convox-gateway audit-cleanup --days N` command (see [DEPLOY.md](DEPLOY.md)).

docs/SECRETS.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Managing Secrets and Env Vars
2+
3+
This gateway enforces secret masking at the proxy layer for every client (web UI, Convox CLI, scripts). Masking is always applied by default. To intentionally view plaintext values, you must be authorized and explicitly request secrets via the gateway.
4+
5+
## How masking works
6+
7+
- The gateway masks values for variables commonly treated as secrets (e.g., keys, passwords, tokens). It also respects an allowlist of additional secret keys via `CONVOX_SECRET_ENV_VARS` (comma‑separated key names).
8+
- To see unmasked values, your account must have the `secrets:view` permission (assigned via RBAC), and you must pass `--secrets` to the CLI.
9+
10+
## Use `convox-gateway env` to request plaintext
11+
12+
The `convox-gateway` CLI exposes an `env` command that talks to the gateway API. Masking is applied by default; pass `--secrets` to request plaintext if you have permission.
13+
14+
Examples below assume you have logged in and selected a rack with:
15+
16+
```bash
17+
convox-gateway login <rack> <gateway-origin>
18+
```
19+
20+
### List env vars (masked by default)
21+
22+
```bash
23+
# Masked output
24+
convox-gateway env -a myapp
25+
26+
# Unmasked if you have permission
27+
convox-gateway env --secrets -a myapp
28+
```
29+
30+
### Get a single key
31+
32+
```bash
33+
# Masked by default
34+
convox-gateway env get DATABASE_URL -a myapp
35+
36+
# Unmasked (requires secrets:view permission)
37+
convox-gateway env get DATABASE_URL --secrets -a myapp
38+
```
39+
40+
### Set / unset env vars
41+
42+
`convox-gateway` provides aliases that delegate to the Convox CLI for writes:
43+
44+
```bash
45+
# Set (delegates to: convox env set)
46+
convox-gateway env set FOO=bar OTHER=baz -a myapp --promote
47+
48+
# Unset (delegates to: convox env unset)
49+
convox-gateway env unset FOO -a myapp --promote
50+
```
51+
52+
Notes:
53+
- Writes occur via the Convox CLI, so they follow Convox semantics (release creation, optional `--promote`, etc.).
54+
- Reads happen via the gateway, with masking applied unless `--secrets` is provided and authorized.
55+
56+
## Convox CLI behavior
57+
58+
- `convox env` (Convox CLI through the gateway): returns masked values by default, with masking enforced by the gateway. The native Convox CLI does not provide an "unmask" option via the gateway.
59+
- To view plaintext values (when authorized), use `convox-gateway env --secrets`.
60+
61+
## Tips
62+
63+
- Avoid pasting unmasked secrets into terminals or logs. Prefer masked reads unless you explicitly need plaintext (`--secrets`).
64+
- For scripting, parse JSON from the gateway API directly if needed; the CLI prints key=value lines for quick inspection.
65+
- Add extra sensitive keys to `CONVOX_SECRET_ENV_VARS` to ensure they are masked by default.

0 commit comments

Comments
 (0)