I’ve migrated off of Portainer to standard docker compose recently so that I can script some major tasks like updating all the containers or restarting all of them. I also liked the idea of being able to put the compose files into a git repo and push it up so that they are automatically backed up. I hope to be able to turn this into more of infrastructure as code implementation where I can edit the repo and have it auto push to my server and redeploy. That’s a bit further down the line though.
That said, with the compose files living in their remote, they currently still have their secrets on them, either in a corresponding .env file or in the compose file itself. I really don’t like this since if someone ever gains access to the repo they have all my services’ secrets. What is the best way to use a git repo for compose files while not exposing a bunch of secrets potentially?
I know podman supports secrets, though I guess I’d have to manually ssh into the server to create them in the session. Currently these services are all through docker however.
I add .env to my .gitignore, then I can safely put secrets in my .env. If you have a big .env file, make a sample.env with the secrets removed.
Ansible vault
Some random suggestions - it really depends on your deployment strategy and available infrastructure
- you can set secrets in portainer if you’re using docker swarm
https://docs.portainer.io/user/docker/secrets
- you can provide secrets to docker (unsure about portainer) on the command line when building
https://docs.docker.com/engine/reference/commandline/buildx_build/#secret
- Ive not used github actions but azure devops supports secret variables in libraries which can then be deployed via a pipeline without revealing any secrets, this appears similar on gh
https://docs.github.com/en/actions/security-guides/encrypted-secrets
- azure key vault and similar can store secrets which code then accesses, although you still then need to authenticate with the vault
