Instantly share code, notes, and snippets.

Embed
What would you like to do?
Docker Compose v3.1 file for Secret Management under Docker 1.13
version: "3.1"
services:
db:
image: "mysql:latest"
networks:
collabnet:
aliases: ["db"]
volumes:
- "db_data:/var/lib/mysql"
secrets:
- source: "mysqlpassword"
target: "mysqlpassword"
uid: "0"
gid: "0"
mode: 0400
secrets:
- source: "mysqlrootpassword"
target: "mysqlrootpassword"
uid: "0"
gid: "0"
mode: 0400
environment:
MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysqlrootpassword"
MYSQL_PASSWORD_FILE: "/run/secrets/mysqlpassword"
MYSQL_USER: "wordpress"
MYSQL_DATABASE: "wordpress"
deploy:
replicas: 1
placement:
constraints:
- "node.role == worker"
web:
image: "wordpress:latest"
ports:
- "80:80"
volumes:
- "wp-data:/var/www/html"
networks:
collabnet:
aliases: ["web"]
depends_on:
- db
secrets:
- source: "mysqlpassword"
target: "mysqlpassword"
uid: "0"
gid: "0"
mode: 0400
environment:
WORDPRESS_DB_USER: "wordpress"
WORDPRESS_DB_PASSWORD_FILE: "/run/secrets/wordpressdbpasswd"
WORDPRESS_DB_HOST: "mysql:3306"
WORDPRESS_DB_NAME: "wordpress"
deploy:
replicas: 1
placement:
constraints:
- "node.role == worker"
networks:
collabnet:
driver: "overlay"
internal: true
volumes:
db_data:
wp-data:
secrets:
mysqlpasswd:
external:
name: "mysqlpasswd"
secrets:
mysqlrootpaswd:
external:
name: "mysqlrootpasswd"
@ksachdev1

This comment has been minimized.

ksachdev1 commented Apr 14, 2017

Hi Ajeet, very handy read. It worked for me. I however tried something slightly different and that also works. The documentation on this is not very good, can you share your opinion on below what I tried:

I have a question on the documentation and the way above example is listed. While I understand everywhere we say that create a separate "secret" block and then under the service, create the secret block and proceed. I did not create a separate secret block and simply added the following under my service

(the below - is converted to a bullet due to autoformat)
secrets:

  • source: "nginx_key_ext"
    target: "nginx.key"
  • source: "nginx_crt_ext"
    target: "nginx.crt"

(the secrets: thing is under the service indented inside the service block in my yaml file and there is no separate secret block)
After I did this, since I already had created external secrets with names "nginx_key_ext" and "nginx_crt_ext", the secrets got mounted with the target names. So why should I go for creating a separate secret block? What am I losing by doing above? Secondly, if I do above but remove the quotes, things don't work. Can a good document be shared on this?

@franz-josef-kaiser

This comment has been minimized.

franz-josef-kaiser commented Jul 12, 2017

Your top level key mysqlrootpaswd has a typo, a missing s.

@N02870941

This comment has been minimized.

N02870941 commented Jan 23, 2018

very useful, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment