I have a docker-compose file that connects an app with a database. I'm using docker secrets to hide sensitive data, such as in this case DB credentials, while I can do so with the database service, I'm not able to do the same within the app service, specifically the ConnectionString. I couldn't find much in the documentation regarding this, neither did I find such cases online, there is one example that is given in the documentation with Wordpress service that suggests the solution I'm seeking, but that seems to be only Wordpress related. Where do I go from here?
Wordpress example in documentation:
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
secrets:
- db_password
My docker-compose file:
version: '3.8'
services:
testapp:
image: testapp
depends_on:
- testapp_db
build:
context: .
dockerfile: TestApp/Dockerfile
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://+:80
# This works
- ConnectionStrings__DefaultConnection=Server=testapp_db;Database=TestApp;UserId=postgres;Password=postgres;
# But I want to do something like this
- ConnectionStrings__DefaultConnection=/run/secrets/connection_string
ports:
- "60001:80"
secrets:
- connection_string
networks:
- testapp-network
testapp_db:
image: postgres:latest
environment:
POSTGRES_USER_FILE: /run/secrets/db_user
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
POSTGRES_DB: TestApp
ports:
- "5500:5432"
volumes:
- postgres-data:/var/lib/postgresql/data
- ./Persistence/Scripts/db_init.sql:/docker-entrypoint-initdb.d/create_tables.sql
restart: always
secrets:
- db_user
- db_password
networks:
- testapp-network
volumes:
postgres-data:
secrets:
db_password:
file: ./run/secrets/docker-postgres/db_password
db_user:
file: ./run/secrets/docker-postgres/db_user
connection_string:
file: ./run/secrets/docker-postgres/connection_string
networks:
testapp-network:
driver: bridge
It's actually not related to WordPress, it's general purpose only you can use similar way Docker mounts the secret content at /run/secrets/connection_string
Your code can read the variable and it will get path from there which is /run/secrets/connection_string now your code can read that file runtime and get the content of the secret as simple as that
Here you can refer my Github repo for example : https://github.com/harsh4870/docker-compose-secret
Node js example code : https://github.com/harsh4870/docker-compose-secret/blob/main/index.js
Update
you can use write docker-compose file with entrypoint will set the Environment variable from a file and after that it will the Main process
version: '3'
services:
redis-server:
image: 'redis'
node-app:
secrets:
- connection_string
build: .
restart: "no"
entrypoint: [ "sh", "-c", "export connection=$(cat /run/secrets/connection_string) && npm start"]
ports:
- "4001:8000"
secrets:
connection_string:
file: ./connection_string
You application or code will be able to use Env var connection and access direct value