From 30859ff9f9bc833b50e40168ba06117f499edcdf Mon Sep 17 00:00:00 2001 From: Gorbasch <57012534+mbegerau@users.noreply.github.com> Date: Wed, 10 Sep 2025 23:56:07 +0200 Subject: [PATCH] fix(encryption): set correct default secret key path (#12848) Co-authored-by: Gorbasch <57012534+mbegerau@users.noreply.github.com> --- api/cmd/portainer/main.go | 4 ++-- api/cmd/portainer/main_test.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go index fcc4a7579..c569d0d67 100644 --- a/api/cmd/portainer/main.go +++ b/api/cmd/portainer/main.go @@ -309,13 +309,13 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D // dbSecretPath build the path to the file that contains the db encryption // secret. Normally in Docker this is built from the static path inside -// /run/portainer for example: /run/portainer/ but for ease of +// /run/secrets for example: /run/secrets/ but for ease of // use outside Docker it also accepts an absolute path func dbSecretPath(keyFilenameFlag string) string { if path.IsAbs(keyFilenameFlag) { return keyFilenameFlag } - return path.Join("/run/portainer", keyFilenameFlag) + return path.Join("/run/secrets", keyFilenameFlag) } func loadEncryptionSecretKey(keyfilename string) []byte { diff --git a/api/cmd/portainer/main_test.go b/api/cmd/portainer/main_test.go index da271949f..90fd827cd 100644 --- a/api/cmd/portainer/main_test.go +++ b/api/cmd/portainer/main_test.go @@ -43,12 +43,12 @@ func TestDBSecretPath(t *testing.T) { keyFilenameFlag string expected string }{ - {keyFilenameFlag: "secret.txt", expected: "/run/portainer/secret.txt"}, + {keyFilenameFlag: "secret.txt", expected: "/run/secrets/secret.txt"}, {keyFilenameFlag: "/tmp/secret.txt", expected: "/tmp/secret.txt"}, - {keyFilenameFlag: "/run/portainer/secret.txt", expected: "/run/portainer/secret.txt"}, - {keyFilenameFlag: "./secret.txt", expected: "/run/portainer/secret.txt"}, + {keyFilenameFlag: "/run/secrets/secret.txt", expected: "/run/secrets/secret.txt"}, + {keyFilenameFlag: "./secret.txt", expected: "/run/secrets/secret.txt"}, {keyFilenameFlag: "../secret.txt", expected: "/run/secret.txt"}, - {keyFilenameFlag: "foo/bar/secret.txt", expected: "/run/portainer/foo/bar/secret.txt"}, + {keyFilenameFlag: "foo/bar/secret.txt", expected: "/run/secrets/foo/bar/secret.txt"}, } for _, test := range tests {