milesmcc
[Discussion] Support Docker Secrets
I recently discovered that passing secrets to Docker containers is discouraged, and that is the reason Docker does not support out of the shelf mounting secrets into env variables:
Developers often rely on environment variables to store sensitive data, which is okay for some scenarios but not recommended for Docker containers. Environment variables are even less secure than files. They are vulnerable in more ways, such as:
- Linked containers
- The docker inspect command
- Child processes
- Event log files
(https://snyk.io/blog/keeping-docker-secrets-secure/)
I've been using a utility I made for a while in my Django projects to easily get Docker secrets with fallback to Env environment, and even supporting custom environ objects:
https://gist.github.com/sergioisidoro/7972229bb5826c25f12e7a406f11e7cd
I'm wondering if you would be willing to accept a PR which uses this wrapper for most sensitive stuff (Django secret key, DB password, etc)
Thanks for starting this discussion. Is there some kind of standardized approach that we can fall back on? Perhaps some well-known library we could use? While your utility looks good and makes sense, it would be nice if there was a standardized approach used elsewhere in the ecosystem that we could lean on.
Oh, thanks for pointing me in this direction. After re-searching for available solutions, it seems that Django envion now supports Docker style secrets since I made my little wrapper:
https://django-environ.readthedocs.io/en/latest/tips.html?highlight=docker#docker-style-file-based-variables
Would you be open to use Django environ. It's a bit opinionated tho, and might require a bit larger refactoring, but it's a good tool