Explore use of Docker Secrets #101
Comments
|
I would want to see how Docker Secrets fits into the OCI Container specifications. For the most part Docker tends to follow the OCI Specs. I know Kubernetes will use a driver for secrets. Other than interoperability with Podman/K3s/runc and other runtimes that can use docker-compose.yml files, I'm unsure if Docker Secrets uses hashing? Ideally, any user supplied secrets would be created interactively and hashed directly to the container with any temp file or terminal history cleaned after so there are no unhashed secrets ever present in the containers: $ export HASHED_PASSWORD=$(openssl passwd -apr1) |
|
"Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running." I've pushed changes to the develop branch that use secrets for all passwords and api secret keys. This will require the user to specify env variables that point to files that contain those secrets, which then are mounted for specific container services and not available as free text env variables. |
|
Added to develop branch |
The best practice for passing credentials (passwords, tokens, etc) to Docker is to use Docker Secrets, not env variables.
With Docker Secrets, you assert a secret file, and Docker mounts it within the container as /run/secret/. But you need the image to have the ability to handle reading from files.
For most of our services, we can utilize Docker Secrets pretty easily, but for WebAPI, we may need to use something like this:
https://sedkyaboushamalah-78619.medium.com/docker-secrets-multiple-environments-and-java-spring-boot-ea6c6c92c0ea
The text was updated successfully, but these errors were encountered: