Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker: Add support for reading config secrets from files #813

Closed
belthesar opened this issue Jan 28, 2025 · 3 comments
Closed

Docker: Add support for reading config secrets from files #813

belthesar opened this issue Jan 28, 2025 · 3 comments

Comments

@belthesar
Copy link

Hi there! Currently, in order to specify secrets such as the JWT secret to kutt, these must be provided via environment variables. Storing secrets in an environment file or in the environment block of a compose spec file is less ideal, especially if deployment and application config are managed in a git repo.

While Kubernetes, Podman, and other container runtimes do have support for exposing config and secrets as environment files, Docker cannot. Environment variables are distinct from Docker's Secret context, which expects to provide secrets as files (eg: /run/secrets/secret_name).

Many Dockerized applications add support for using file contents as secrets by providing optional environment variables with the extension "_FILE". In an example relevant to kutt's JWT Secret, kutt could be provided with an environment variable configured like this:
JWT_SECRET_FILE=/run/secret/jwt
Where kutt is checking its environment variables, if JWT_SECRET_FILE is set, it would check for the existence for a file at the path, and if it exists, sets the value of JWT_FILE to the contents of the file.

Ultimately, it would be nice if Docker's secrets API was updated to support deploying secrets as environment variables as well as files. Until then, this support would be very welcome.
@trgwii
Copy link
Member

trgwii commented Jan 29, 2025

I'm finding:

docker run --env "..." ...
docker run --env-file "..." ...

Why can't those be used?

@belthesar
Copy link
Author

Consider a deployment context where I want to store application config alongside a Compose manifest defining the service stack in a git repo. Were I using Environment declarations, or Environment Files to store the application config, that would need to be stored in the git repo as well. This would mean that I am storing secrets in git, which does not align with sane deployment best practices.

Specifically, this is an ask to add support for reading secrets in a way that is compatible with Docker Secrets (https://docs.docker.com/engine/swarm/secrets/), which has can be augmented with Hashicorp Vault, AWS Secrets Manager, or other Secret Stores.

@trgwii
Copy link
Member

trgwii commented Jan 30, 2025

#814

@poeti8 poeti8 closed this as completed in 86e4ba8 Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@belthesar @trgwii