Please provide support for docker secrets as in Build support for Docker Secrets into your images
.
Brief description from the relevant docker page below:
If you develop a container that can be deployed as a service and requires sensitive data, such as a credential, as an environment variable, consider adapting your image to take advantage of Docker secrets. One way to do this is to ensure that each parameter you pass to the image when creating the container can also be read from a file.
Many of the official images in the Docker library, such as the wordpress image used in the above examples, have been updated in this way.
When you start a WordPress container, you provide it with the parameters it needs by setting them as environment variables. The WordPress image has been updated so that the environment variables which contain important data for WordPress, such as WORDPRESS_DB_PASSWORD, also have variants which can read their values from a file (WORDPRESS_DB_PASSWORD_FILE). This strategy ensures that backward compatibility is preserved, while allowing your container to read the information from a Docker-managed secret instead of being passed directly.
By gazing through the entrypoint, it looks like we only need to deal with RABBITMQ_DEFAULT_PASS env var - SSL certs are just paths to files, so docker secrets can be used here without changes.
Give me some minutes :)
Great news!
Would it be too much to suggest including RABBITMQ_DEFAULT_USER_FILE as well, as providing support for the full credential pair? The image for Postgres, for instance, does that, among others I have been using.
Thanks for the reply.
I was avoiding that for no good reason - I thought the username was not sensitive enough to make it to the docker secret vault.
But it's fair enough to include that one on the list.
really looking forward for this change. this will solve several problems for us. is anything blocking the PR?
Thanks for the changes. I appreciate it.
Closing given that https://github.com/docker-library/rabbitmq/pull/143 merged. :+1:
I wonder if there is an example somewhere on how this could be done. You know, "show me the code". Thanks a lot (if not, I'll figure out and post here)!
@gkirill Since by "secrets" we're referring to a deployment to a Docker Swarm cluster, here it is a deployment docker compose file example I use on an actual project:
version: '3.1'
volumes:
# TODO: AS the Docker team helps regarding the file ownership on files created inside a
# cloudstor:azure volume... only the we can use the cloudstor:azure driver...
data:
networks:
network: # This will actually create the 'app_mq_network' in the swarm cluster
secrets:
app_rabbitmq_pass:
external: true
services:
rabbitmq:
image: rabbitmq:3.6-alpine
volumes:
- data:/var/lib/rabbitmq
ports:
- 5672:5672
networks:
- network
environment:
RABBITMQ_DEFAULT_USER: app
RABBITMQ_DEFAULT_PASS_FILE: /run/secrets/app_rabbitmq_pass
deploy:
replicas: 1
restart_policy:
condition: on-failure
placement:
constraints:
- node.labels.queue-host == true
secrets:
- app_rabbitmq_pass
This stack is deployed like this:
# Create the password for production environment:
echo "$(pwgen -n 16 1)" | docker secret create app_rabbitmq_pass -
# Deploy the AMQP service on the production environment:
docker stack deploy --compose-file stack.yml app_mq
Most helpful comment
@gkirill Since by "secrets" we're referring to a deployment to a Docker Swarm cluster, here it is a deployment docker compose file example I use on an actual project:
This stack is deployed like this: