It likely happens that we need to provide some secrets like passwords, keys, or private things into our Docker containers. If we use the docker-compose tool to generate our containers, we basically can put the secrets as environment variables in the docker-compose.yaml file. But, what if we want to share our configuration with the others, they will find those secrets too. So, for overcoming that issue, we can utilize a feature provided by Docker itself which is the Docker secret, or we can just call it secret.
For instance, we want to build a container for the PostgreSQL database. The PostgreSQL image allows us to set a custom database password by providing a value for the POSTGRES_PASSWORD or POSTGRES_PASSWORD_FILE variable.
services:
postgres:
image: postgres
environment:
- POSTGRES_PASSWORD=$3cureP4ssword
Or, we can utilize the Docker bind-mounting to store a file and instruct the Docker to read the secret information from the mounted file.
services:
services:
postgres:
image: postgres
volumes:
- /project/path/my_secret_file:/var/lib/postgresql/my_secret_file
environment:
- POSTGRES_PASSWORD_FILE=/var/lib/postgresql/my_secret_file
Secret works like a special volume-mounting with a unique mechanism. First, we create a file in our project that contains a password for our database service. For example, it is stored in the /project/path/my_secret_file file. The file must contain only the password value, for example, it contains only "$3cureP4ssword". Then, it's just like a volume-mounting, we set the secret definition and enable it for the service. The specified file will be automatically available in the container in a special directory maintained by Docker which is located in the /run/secrets/ directory. Lastly, we set the environment variable to use the value stored in the deployed directory.
services:
postgres:
image: postgres
secrets:
- the_secret_name
environment:
- POSTGRES_PASSWORD_FILE=/run/secrets/the_secret_name
secrets:
the_secret_name:
file: /project/path/my_secret_file
Comments
Post a Comment