Protect Sensitive Data in Docker
Developing authentication code for open source repositories can be a scary task; you're scared that hackers can find loopholes in your code but you're also petrified of accidentally committing sensitive credentials to a public repository. I've seen unintentional credential commits happen and the panic that ensues throughout an organization will make your eyes water.
The standard for providing sensitive credentials in a production environment is using environment variables. Docker, via
docker-compose.yml, easily allows developers to introduce environment variables and values, but you don't want to commit those to a repo, so the answer is creating a
docker-compose.override.yml file on your local machine which contains the sensitive information:
version: '2' services: myservice: environment: - KEY=Value - CLIENT_ID=ljlxjlkfj3298749sd98xzuv9z8x - CLIENT_SECRET=32xlkjwe9sd9x8jx9we8sd9sdad - SITE_DOMAIN=davidwalsh.local
The information in
docker-compose.override.yml is added to (or overrides) the directives in
docker-compose.yml. Since git and mercurial will allow you to commit
docker-compose.override.yml files, the other important step is adding your
docker-compose.override.yml file to your
.hgignore file, preventing the file from being seen from the two version control tools.
.gitignore is a simple idea but it's important to implement this technique as soon as possible. Security is of the utmost importance, especially when your repository is public, and casually adding sensitive API data while developing will lead to problems.
Hey, good trick. Another way of doing it is by using a .env file, supported since Docker Compose 1.7.0:
The use of .env files is quite widespread so should be familiar to a lot of people.