Update: I'm using this strategy, at the moment: https://github.com/jamiejackson/docker-secret-hash
This is a helper script for updating a secret in a running service. It does cause the service containers to restart (there's no avoiding that), but it does so as elegantly/conveniently as I know how.
See the motivation for this script, as well as alternatives, here.
Caveat:
- Secret names with a length approaching 64 characters might exhibit weird behavior, as this relies on a version token being tacked onto the secret name. Since the secret name is truncated to 64 characters, a long name might result in a smaller (or nonexistent) version token, leading to uniqueness problems and unexpected behavior.
- This won't update shared secret across multiple services. Maybe in the future, the
stack
option will be made optional and it will affect all relevant services. (Update: This script seems to address this, though I haven't tried it: https://gist.github.com/MLescaudron/e8248d32d3a5b8caaf622c1a829cf067 )
Thanks for this, found it really useful. Replaced
secret
withconfig
and that did me for updating config values, too!