A Docker Swarm secret adapter
The best practice to pass configuration to an application is using environment variables, as described in 12 Factor App: this ensures strict separation of configuration from code and allows easy configuration changes between deployments.
This is possible with Kubernetes by mounting secrets as environment variables. Docker Swarm is currently lacking this feature, because it only allows to mount secrets and configs in the container filesystem.
Swarmcret is a solution that can be used to adapt configuration mounted in the filesystem into a set of environment variables.
"Swarmcret" is the portmanteau of "swarm" and "secret" and it is also the Frison translation for "swarm".
-
Mount your secrets in
/var/run/secretspath -
Mount your configs in
/var/run/configspath -
Load the Swarmcret Docker image into a multi-stage Dockerfile:
FROM xstefanox/swarmcret:1.0 as swarmcret # then in the production stage... COPY --from=swarmcret /swarmcret /usr/local/bin/swarmcret
-
Put Swarmcret in the image entrypoint
Standalone example:
ENTRYPOINT [ "swarmcret"]
Example with Tini:
ENTRYPOINT [ "tini", "--", "swarmcret"]
Swarmcret scans the secrets and configs directories and convert each file into an environment variable having the same name of the file and the file content as value.
Given the following secret mounted in the filesystem
/var/run/secrets/MY_SECRET
whose value is the_secret_value, Swarmcret will convert it into the following environment variable
MY_SECRET=the_secret_valueIt then starts the command defined in the CMD statement of the Dockerfile.
Since this process is created with execve syscall, it will inherit the signal handlers of Swarmcret
itself: this ensures the compatibility with Tini (or other container init processes).