-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENV variables in Configs/Secrets #37377
Comments
Not sure that environment variables are any more secure, but this substitution should be taken care of by the shell and not the CLI. This should be in https://github.com/docker/cli in any case, so closing here. |
Configs are actually stored using the same mechanisms as secrets in Swarm; both are stored encrypted, and mount as RAMfs in the running container (so that they won't be stored on-disk). If I understand your use-case correctly, the Docker 18.03 and up supports "templated" configs and secrets (implemented through #33702 and docker/cli#896), which allow you to use placeholders in your configs that are replaced at runtime by their actual value; this way, you're able to separate (reusable) configurations, and insert the secret (or environment variables, or other properties) in the configuration at runtime. Having said the above; when designing the Documentation is lagging behind on this feature (docker/docs#6207), but below is an example; Create a (non-templated) "secret" and "config";
Create a templated config (
docker config create --template-driver=golang example -<<'EOF'
This template is used on service: {{.Service.Name}}
This container is running on node with ID: {{.Node.ID}}
HELLO environment variable is: {{env "HELLO"}}
Secret "secret1" contains: {{secret "secret1"}}
Some other config ("config1") contains: {{config "config1"}}
EOF Create a service named
docker service create \
--name myservice \
--env HELLO=world \
--secret src=mysecret,target=secret1 \
--config src=foobar,target=config1 \
--config src=example,target=/myconfig \
nginx:alpine When the service is deployed, exec into a container backing the service, and check the content of docker exec myservice.1.oszp02hc0wllxf6m2uqj02imk cat /myconfig
This template is used on service: myservice
This container is running on node with ID: oifk2p0hd4tvlb62uf76womx0
HELLO environment variable is: world
Secret "secret1" contains: This is secret mysecret
Some other config ("config1") contains: Hello, this is foobar |
@thaJeztah this is EXACTLY the functionality I was looking for, thanks a lot for the explanation and link to future docs :)! |
Great!! Contributions are welcome on those docs 😇 I know the team has been very busy, so this likely fell into their backlog 😅 |
Description
Since configs are the recommended way of providing configuration files for services, would be great to be able to specify environment variables or use some sort of templating, so plain text secrets don't have to be used in a config. Now is impossible to provide a secret into a config/secret file in a secure way.
Steps to reproduce the issue:
echo The path is $PATH | docker config create test-config
Describe the results you received:
The string "The path is $PATH" is in the config
Describe the results you expected:
See the actual value of the $PATH environment variable instead of "$PATH"
Output of
docker version
:The text was updated successfully, but these errors were encountered: