Better password management for Docker (parameterized, docker secrets, etc)

[dphildebrandt]

Now that we have an official docker image (yay!) it would be great to use docker secrets rather than set a .env variable, having them in connection strings, and/or put the secret in your own personal docker-compose file.

Imagining something like:

    environment:
      DATABASE_HOSTNAME: rallly_db
      DATABASE_PORT: 5432
      DATABASE: db
      DATABASE_USER: postgres
      DATABASE_PASSWORD_FILE: /run/secrets/rallly_postgres_password
      SECRET_PASSWORD_FILE: /run/secrets/rallly_password

[dphildebrandt]

Rallly has come a long way, the self-hosting is pretty awesome!!!

The final cherry on top would be to see this happen, and most config.env variables able to be set in the docker-compose environment variables instead. It would make infrastrucutre-as-code simpler (no need for config.env) and/or prevent passwords from being exposed (in the docker-compose file, or the plain config.file) by using docker secrets.

[ltguillaume]

@dphildebrandt I already tried to get this to work before I saw your posts here. Have you found a way to use it?

I failed to do so, probably because I had issues finding comprehensive documentation rather than it not being possible for Rallly. Turns out that if the docker docs were more complete, I wouldn't have even tried:

Source: https://docs.docker.com/engine/swarm/secrets/

1. Secrets need docker swarm: docker swarm init
2. Create the secret (e.g. for SMTP password): echo <somepassword> | docker secret create smtp_pwd -
3. Comment out SMTP_PWD from the .env file
4. Add the secret to docker-compose.yml:

services:
  rallly_db:
    image: postgres:14.2
    restart: always
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=postgres
      - POSTGRES_DB=db
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 5s
      timeout: 5s
      retries: 5

  rallly:
    image: lukevella/rallly:latest
    restart: always
    depends_on:
      rallly_db:
        condition: service_healthy
    ports:
      - 3000:3000
    environment:
      - DATABASE_URL=postgres://postgres:postgres@rallly_db:5432/db
-----------------------------------------------------------------------------
      - SMTP_PWD=/run/secrets/smtp_pwd
    secrets:
      - smtp_pwd
-----------------------------------------------------------------------------
    env_file:
      - .env

volumes:
  db-data:
    driver: local

-----------------------------------------------------------------------------
secrets:
  smtp_pwd:
    external: true
-----------------------------------------------------------------------------

This just results in unsupported external secret smtp_pwd, because apparently external secrets only work with docker stack.

Docker Compose is targeting raw engine (not swarm mode) so does not support secrets created on swarm. Engine does not support secrets, so compose only can be used with "pseudo-secrets" as bind mounts.
To deploy a compose file to a Swarm cluster, you must use docker stack command.
docker/compose#9139 (comment)

So that leaves you only with the option of

secrets:
  smtp_pwd:
    file: /some/path

which basically isn't any better than using the .env we started out with... Bummer.

[dphildebrandt]

I haven't used secrets with this project because the project does not support it yet (as far as I know).

For now I just used secrets for the needed postgresdb container, and store the rest of the rallly-specific things in its own .env file

[ltguillaume]

I haven't used secrets with this project because the project does not support it yet (as far as I know).

For now I just used secrets for the needed postgresdb container, and store the rest of the rallly-specific things in its own .env file

@dphildebrandt
But do you use files for secrets then? Or do you use docker stack?

[Tasztalos69]

Being able to use file-based secrets with compose would be already a huge improvement, as I like to keep my secrets (e.g. smtp password) in a central place, and make the various services mount that secret inside them.