Home

Awesome

Docker Config and Secret Update Tool

This utility will update configs and secrets in docker based on a local source file. The configs and secrets are versioned and the version is appended to the config and secret name. An environment variable file is updated with the latest version number of the configs and secrets. This file can then be sourced before deploying a stack in docker to use the latest versions.

The .docker-deploy file

This file contains the following lines:

An example file could look like:

CONFIG_LIST="app demo"
SECRET_LIST="app passwd"
CONF_app_SRC_FILE="app.conf"
CONF_app_TGT_NAME="app-"
CONF_app_TGT_VAR="app_conf_ver"
CONF_demo_SRC_TYPE=latest
CONF_demo_TGT_NAME="demo-"
CONF_demo_TGT_VAR="demo_conf_ver"
SEC_app_SRC_FILE="app.sec"
SEC_app_TGT_NAME="app-"
SEC_app_TGT_VAR="app_sec_ver"
SEC_passwd_SRC_TYPE=random
SEC_passwd_TGT_NAME="passwd-"
SEC_passwd_TGT_VAR="passwd_ver"

The .env file

This file will contain lines with each CONF_name_TGT_VAR and SEC_name_TGT_VAR defined in the .docker-deploy file (where name is from the list of configs and secrets).

Using with a compose file

Your compose file will need to define external configs and secrets. With version 3.5 of the compose file, you define external configs and secrets with a name using the following syntax:

version: '3.5'

configs:
  app_conf:
    external: true
    name: app_conf_${app_conf_ver}
secrets:
  app_sec:
    external: true
    name: app_sec_${app_sec_ver}
services:
  app:
    image: app_image
    configs:
      - source: app_conf
        target: /etc/app.conf
        mode: 444
    secrets:
      - source: app_sec
        target: /etc/app.sec
        mode: 400
        uid: "0"

When deploying the stack, you'll want to run:

# update the .env file with this script
docker-config-update
# source and export the .env file
set -a && . ./.env && set +a
# deploy the stack with the variables
docker stack deploy -c docker-compose.yml app

Random secrets

These are a 32 character string created with:

base64 -w 0 </dev/urandom | head -c 32

This entry will only be created if missing with a version of 1. Otherwise the latest version of this secret is saved to the environment file.

Running from Docker Image

This is also packaged in a docker image and can be run with the following on Linux hosts:

$ docker container run --rm -it \
  -u "$(id -u):$(id -g)" --group-add "$(stat -c "%g" /var/run/docker.sock)" \
  -v "/var/run/docker.sock:/var/run/docker.sock" \
  -v "$(pwd):$(pwd)" -w "$(pwd)" \
  sudobmitch/docker-config-update $args

License

This script is released under the MIT license.