I am new to Docker, so please forgive my elementary question. I am confused as to the best way to pass secrets into the Docker container enviroments. I am using Docker-Compose and do not want to use more complex platforms such as Kubernetes because I am hosting a very simple Django Rest Framework application.
I understand the concepts of Docker Compose Secrets but what I do not understand is how you securely provide the file with the secret in the first place. The Docker Image would ordinarily be built from a GitHub repo, but I do not want to expose the secret in the file in the repo that would be passed into the Docker Image.
For example, let's say I want to store my Django secret key. I would pass it into Docker Compose like so:
services:
myapp:
image: myapp:latest
secrets:
- django_secret_key
secrets:
django_secret_key:
file: ./my_django_secrets.txt
What I cannot understand, is how you pass my_django_secrets.txt into the build WITHOUT exposing them in the Git Repo. I come from a background of using local .env files and setting enviroment variables on the end server, but I cannot figure out the best way to replicate this inside Docker.
Thank you in advance for your help!
how would the process look ideally? Once I submit the source files (including Dockerfile and Docker-compose) and have GitHub Actions assemble the image, how does the my_django_secrets eventually get passed in?
Your compose file has nothing to do with building your image. Only the Dockerfile is required for that stage. Your repository would contain your Dockerfile and compose.yaml files, and your GitHub action would use docker build to build and push the image somewhere (here is a github action that I use to build and push container images to github's container repository).
Locally -- or wherever you want to run the image -- you would run docker compose up. This would pull the image and start a container, and would apply any secrets, volume mounts, bind mounts, environment variables, etc.
So for example, my_django_secrets.txt would not be included in the repository. This would only exist locally. Given the configuration you show in your question...
services:
myapp:
image: myapp:latest
secrets:
- django_secret_key
secrets:
django_secret_key:
file: ./my_django_secrets.txt
...then the secret would be exposed in the container as the file /run/secrets/django_secret_key.
You can accomplish something similar using environment variables. Given a compose file like this:
services:
myapp:
image: myapp:latest
environment:
DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY}
If you have a local .env file that contains:
DJANGO_SECRET_KEY=secret
Then after running docker compose up, in your container the variable DJANGO_SECRET_KEY would be available with the value secret.
In this example, that .env file would not be part of the repository; you would create it locally or wherever you are running the container.