Can secrets be used to store the username and password for use in a volume definition in a stack yaml file?
If so, how?
If not, then how best to not have to include credentials in the yaml file?
For example, my stack contains sections as follows...
networks:
media-net:
driver: overlay
ipam:
config:
- subnet: 172.31.1.0/24
secrets:
smb-user:
external: true
name: docker-smb-user
smb-password:
external: true
name: docker-smb-password
...
volumes:
media-movies:
name: media-movies
driver: local
driver_opts:
type: cifs
device: "//storage.lan/media-movies"
o: "addr=storage.lan,vers=3.0,username=/run/secrets/smb-user,password=/run/secrets/smb-password,uid=1000,gid=1000"
I tried using /run/secrets/smb-user etc in the options line but got an error which may or may not be related. Something like "no route to host".
Do I have both a networking and a credentials problem here? Can the overlay see the lan the hosts are on or is a separate definition required?
I specifically only use yaml files so all definitions can be maintained in a git repo.
There is no need for secrets. This is a named volume, meaning once it's created, it will persist until all containers using it are deleted and volume is manually removed.
If you want this information to be secret just omit it from docker-compose completely and create it manually once with:
docker volume create `
--driver local `
--opt type=cifs `
--opt device=//storage.lan/media-movies `
--opt o=addr=storage.lan,vers=3.0,username=foo,password=bar,uid=1000,gid=1000 `
media-movies
You may want to add this to README for future reference (with blanked credentials of course). And then you just need to specify it is external in volume details in your docker-compose file.
volumes:
media-movies:
external: true