Search code examples
dockerhibernatequarkusmicroprofiledocker-secrets

Using Docker Secret for Quarkus Data Source Password

I currently work in a project where the client requires a relatively high level of security, and production database passwords are not shared with us developers.

I'm using Quarkus version 1.9.2.Final deployed on Docker Swarm. I was wondering if there is a way to store the datasource password in a Docker Secret and use that password in my application.properties file

My application.properties file

quarkus.datasource.db-kind=other
quarkus.hibernate-orm.dialect=org.hibernate.dialect.Oracle12cDialect
spring.jpa.database-platform=org.hibernate.dialect.Oracle12cDialect
quarkus.datasource.jdbc.driver=oracle.jdbc.driver.OracleDriver
quarkus.datasource.jdbc.url=${db-url}
quarkus.datasource.username=${db-user}
quarkus.datasource.password=${db-pass}
logging.level.org.hibernate.SQL=DEBUG
logging.level.org.hibernate.type=TRACE

My pom.xml Profiles:

<profiles>
    <profile>
        <id>dev</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
            <db-url>jdbc:oracle:thin:@//host:1521/dbname</db-url>
            <db-user>dbuser</db-user>
            <db-pass>dbpass</db-pass>
        </properties>
    </profile>

    <profile>
        <id>prod</id>
        <properties>
            <db-url>jdbc:oracle:thin:@//prod-host:1521/dbname</db-url>
            <db-user>prod-dbuser</db-user>
            <db-pass>prod-dbpass</db-pass>
        </properties>
    </profile>
</profiles>

My compose.yml file:

version: "3.1"

services:
  myappservices:
    image: myapp
    deploy:
      replicas: 4
      update_config:
        parallelism: 2
        delay: 10s
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 20s
    ports:
      - "8080:8080"
    hostname: myapp-node{{.Task.Slot}}
    volumes:
      - "/usr/local/myapp:/usr/local/myapp"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 1m30s
      timeout: 10s
      retries: 3

The goal is one of the following:

  1. Replace the prod-dbpass in my pom.xml file with the database password from a Docker Secret.

OR

  1. Remove the db-pass property from the pom.xml file altogether and set the quarkus.datasource.password property in the application.properties file with the database password from a Docker Secret.
Solution

  • You can just define a QUARKUS_DATASOURCE_PASSWORD environment variable.

    That's how you define secrets for anything, be it Kubernetes or Docker.