Using Docker Secrets in your Environment Variables
If you want to use Docker containers in production, chances are you’ll want to store your credentials in a secure way. A way to do that for Docker Swarm is to use Docker secrets.
A secret can be defined easily enough on your swarm manager using the following:
echo "mysupersecurepassword" | docker secret create my_password_secret -
Now, you will probably want to reference secrets from your environment variables, but that is unfortunately not supported yet. In order to do just that, there is a workaround implemented in the official docker Mysql and WordPress containers.
Secrets are accessible from the containers that have access to them by using the file path /run/secrets/my_password_secret, so what you can do, is add another environment variable to your docker-compose, having a custom name (appending _FILE for example)
version: '3.3'
secrets:
my_password_secret:
external: true
services:
db:
image: mysql:5.7
environment:
MYSQL_PASSWORD_FILE: /run/secrets/my_password_secret
secrets:
- my_password_secret
And in your container entrypoint, call the following function for each environment variable you have set up.
#!/usr/bin/env bash
set -e
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
file_env "MYSQL_PASSWORD"
This will export the value stored in the secret to the correct environment variable (MYSQL_PASSWORD in this case)