Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Docker Compose v3.1 file for Secret Management under Docker 1.13
version: "3.1"
services:
db:
image: "mysql:latest"
networks:
collabnet:
aliases: ["db"]
volumes:
- "db_data:/var/lib/mysql"
secrets:
- source: "mysqlpassword"
target: "mysqlpassword"
uid: "0"
gid: "0"
mode: 0400
secrets:
- source: "mysqlrootpassword"
target: "mysqlrootpassword"
uid: "0"
gid: "0"
mode: 0400
environment:
MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysqlrootpassword"
MYSQL_PASSWORD_FILE: "/run/secrets/mysqlpassword"
MYSQL_USER: "wordpress"
MYSQL_DATABASE: "wordpress"
deploy:
replicas: 1
placement:
constraints:
- "node.role == worker"
web:
image: "wordpress:latest"
ports:
- "80:80"
volumes:
- "wp-data:/var/www/html"
networks:
collabnet:
aliases: ["web"]
depends_on:
- db
secrets:
- source: "mysqlpassword"
target: "mysqlpassword"
uid: "0"
gid: "0"
mode: 0400
environment:
WORDPRESS_DB_USER: "wordpress"
WORDPRESS_DB_PASSWORD_FILE: "/run/secrets/wordpressdbpasswd"
WORDPRESS_DB_HOST: "mysql:3306"
WORDPRESS_DB_NAME: "wordpress"
deploy:
replicas: 1
placement:
constraints:
- "node.role == worker"
networks:
collabnet:
driver: "overlay"
internal: true
volumes:
db_data:
wp-data:
secrets:
mysqlpasswd:
external:
name: "mysqlpasswd"
secrets:
mysqlrootpaswd:
external:
name: "mysqlrootpasswd"
ksachdev1 commented Apr 14, 2017 edited

Hi Ajeet, very handy read. It worked for me. I however tried something slightly different and that also works. The documentation on this is not very good, can you share your opinion on below what I tried:

I have a question on the documentation and the way above example is listed. While I understand everywhere we say that create a separate "secret" block and then under the service, create the secret block and proceed. I did not create a separate secret block and simply added the following under my service

(the below - is converted to a bullet due to autoformat)
secrets:

  • source: "nginx_key_ext"
    target: "nginx.key"
  • source: "nginx_crt_ext"
    target: "nginx.crt"

(the secrets: thing is under the service indented inside the service block in my yaml file and there is no separate secret block)
After I did this, since I already had created external secrets with names "nginx_key_ext" and "nginx_crt_ext", the secrets got mounted with the target names. So why should I go for creating a separate secret block? What am I losing by doing above? Secondly, if I do above but remove the quotes, things don't work. Can a good document be shared on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment