How do you manage docker secrets?
I'm trying to come up with a better way of managing my docker stacks. And I keep running into a wall when it comes to managing secrets. Looking around, there are few ways being used but I feel like each of them has some limitations and doesn't fit into my desired workflow.
Issues:
_FILEenv variables are not supported by all images- majority of containers expect passwords and other sensitive data to be passed as env vars
This is my setup currently:
- I store my docker compose and .env files in a private github repo
- .env files stored in the repo don't include any sensitive values
- portainer is used to deploy my stacks, it pulls the config from the repo
- I override the env vars in portainer UI to add any sensitive values. These changes get persisted in portainer, so even if I pull latest changes from the repo, my overrides will still be applied.
I'm now experimenting with Arcane, and while I'm starting to like it more than portainer, it has one fundamental issue. If I make any changes to the .env file, they get reverted next time I do git sync.
I haven't tried Komodo yet, It looks like it supports secrets, and can substitute placeholders in compose files with the actual values, but it doesn't look like it's using standard docker-compose syntax for it (square brackets around placeholders), which is a blocker for me as I'd like to keep the config generic enough so that it's not tied to any specific tool.
sops and age seems to be something that people are using, but I don't see a way to get it to work with portainer or arcane.
I'm experimenting with few different approaches, I have my secrets stored in vaultwarden so I can retrieve them with bw cli. I also have ansible playbook that saves them as files on my docker host.
What I'm looking for is a way of injecting those secrets into .env files while using portainer or arcane.