|
| 1 | +<!DOCTYPE html> |
| 2 | +<html lang="en"> |
| 3 | + <head> |
| 4 | + <title>Docker Container Secrets Management</title> |
| 5 | + <meta name="viewport" content="width=device-width"> |
| 6 | + <meta name="description" content="How to store container secrets when using docker containers (or any container for that matter)."> |
| 7 | + </head> |
| 8 | + <h1>Docker Container Secrets Management</h1> |
| 9 | + |
| 10 | + <p>Secrets management is closley related to configuration management. You want to make sure you:</p> |
| 11 | + |
| 12 | + <ul> |
| 13 | + <li>Never hardcode secrets (such as passwords) inside a container image</li> |
| 14 | + <li>Never commit secrets to your git repo in plain text</li> |
| 15 | + </ul> |
| 16 | + |
| 17 | + <p>So where do you put secrets?</p> |
| 18 | + |
| 19 | + <p>The key options are</p> |
| 20 | + |
| 21 | + <ul> |
| 22 | + <ol>A secrets management service</ol> |
| 23 | + <ol>Use a tool to encrypt and store your secrets</ol> |
| 24 | + </ul> |
| 25 | + |
| 26 | + <p>For secrets management for container hosting, we use the <em><a href="https://github.com/fpco/amber">Amber Secrets tool</a></em> |
| 27 | + to manage container secrets.</p> |
| 28 | + |
| 29 | + <p>The nice thing about amber is that you only have 1 secret to manage - called the <em>`AMBER_KEY`</em>, and only that single |
| 30 | + secret gets entered into your CI/CD pipeline tool (e.g. Github Actions, Jenkins , Azure Devops etc).</p> |
| 31 | + |
| 32 | + <p>If you've used these Devops platforms a lot, you'll know how cumbersome it can be enter multiple secrets into the various UIs,<br /> |
| 33 | + secrets management becomes 'clickops' and not automated. By using a programatic tool, you can easily <em>version</em> your secrets, and |
| 34 | + even rotate them with an audit trail of your git history- remember the secrets are encrypted using your `AMBER_KEY`</p> |
| 35 | + |
| 36 | + <h2>Where can I learn more about this?</h2> |
| 37 | + |
| 38 | + <p>Recommended reading is <a href="https://12factor.net/config">The Twelve-Factor App- III. Config page</a> since that<br /> |
| 39 | + goes over much of the topics covered here.</p> |
| 40 | + |
| 41 | + <p>When you <a href="https://container-hosting.anotherwebservice.com/">host a Docker container with content hosting</a>, you get Amber |
| 42 | + setup for you already to manage secrets.</p> |
| 43 | + |
| 44 | + <h2>What are the alternatives?</h2> |
| 45 | + |
| 46 | + <p>There are an overwhelming amount of options for secrets management for docker containers (and remember, that's just a brand name,<br /> |
| 47 | + see <a href="/what-is-container-hosting">what is container hosting?</a>.</p> |
| 48 | + |
| 49 | + <p>Some options include:</p> |
| 50 | + |
| 51 | + <ul> |
| 52 | + <li>Hashicorp Vault- which works very well paired with their other product Consul & consul template. But be prepared for high resource requirements (see their <a href="https://developer.hashicorp.com/vault/tutorials/day-one-raft/raft-reference-architecture#system-requirements">reference architecture</a>) - it's not for small toys</li> |
| 53 | + <li>Ansible vault - Very similar to Amber. You can <a href="https://blog.karmacomputing.co.uk/ansible-password-vault/">use Ansible to encrypt text and entire files</a>. You don't have to use Ansible to use Ansible vault</li> |
| 54 | + </ul> |
| 55 | + |
| 56 | + <p>The key takeaway is to <em>manage</em> secrets and control them carefully- ideally rotate them often. The tools change quite rapidly but the important concepts tend not to as much.</p> |
| 57 | + |
| 58 | +</html> |
0 commit comments