Make secrets available as uppercase environment variables for seamless integration in Docker containers. Optimized for S6 supervised environment.
This is designed and optimized for use with S6 Overlay (See: https://github.com/N0rthernL1ghts/s6-rootfs). To use with other init systems, check the To utilize secrets with other init systems section.
COPY --from=ghcr.io/n0rthernl1ghts/docker-env-secrets:latest ["/", "/"]# ---------------------
# Build root filesystem
# ---------------------
FROM scratch AS rootfs
# Copy over base files
COPY ["./rootfs", "/"]
# Install S6 Overlay
COPY --from=ghcr.io/n0rthernl1ghts/s6-rootfs:3.2.0.2 ["/", "/"]
# Install init-docker-secrets service
COPY --from=ghcr.io/n0rthernl1ghts/docker-env-secrets:latest ["/", "/"]
# ---------------------
# Build image
# ---------------------
FROM alpine:latest
COPY --from=rootfs ["/", "/"]
...
...If you use S6 Overlay, then you're ready to go. You just need to use this shebang in your script.
#!/command/with-contenv bash
your-service --your-flagsAlternatively, you can use s6-envdir or similar tool.
s6-envdir /run/secrets_normalized your-service --your-flagsNote: Due to behaviour of with-contenv, environment variable S6_KEEP_ENV must be set to 0.
Otherwise, secrets will not be loaded in the environment. If this is not desirable, see To utilize secrets with other init systems section for alternative loading methods. In short, using source /usr/local/lib/load-env /run/s6/container_environment should be sufficient.
For this to work, you need to make all your core services dependent of init-docker-secrets service.
If you want to use it with other init systems, use this version of docker file:
# ---------------------
# Build root filesystem
# Note that we use busybox as base image and use /rootfs as rootfs build directory
# Busybox is used only for building rootfs, and is not used in the final image
# ---------------------
FROM busybox AS rootfs
# Copy over base files
COPY ["./rootfs", "/rootfs/"]
# Install init-docker-secrets service
COPY --from=ghcr.io/n0rthernl1ghts/docker-env-secrets:latest ["/", "/rootfs/"]
# Remove S6 Overlay specific files
RUN set -eux \
&& rm -rfv "/rootfs/etc/s6-overlay/"
# Or this to remove only init-docker-secrets files
# RUN set -eux \
# && rm -rfv "/rootfs/etc/s6-overlay/s6-rc.d/init-docker-secrets"
# && rm -rfv "/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/init-docker-secrets"
# ---------------------
# Build image
# ---------------------
FROM alpine:latest
COPY --from=rootfs ["/rootfs/", "/"]
ENV NORMALIZED_SECRETS_PATH=/run/secrets_normalized
...
...Also, check init-docker-secrets-run.sh and load-env.sh scripts to understand how things are working.
It should be as easy to adapt it by setting NORMALIZED_SECRETS_PATH environment variable to the directory where normalized secrets are to be stored.
example:
# If not set in Dockerfile use: export NORMALIZED_SECRETS_PATH=/run/secrets_normalized
/usr/local/bin/init-docker-secretsThen, before starting the service, you just need to load each secret file into the environment. To do this, you can use bundled 'load-env' script.
source /usr/local/lib/load-env /run/secrets_normalized
your-service --your-flagsThis project is licensed under the MIT License - see the LICENSE file for details.