glen/docker-secrets-provider

Pimple Docker Secrets ServiceProvider

DockerSecretsProvider

DockerSecretsProvider is a Pimple to manage sensitive data with Docker secrets, mostly useful for Silex based applications., _(*1)

Docker 1.13 provides secrets in swarm mode., _(*2)

You can use secrets to manage any sensitive data which a Docker container needs at runtime but you don't want to store in the image or in source control, such as: - Usernames and passwords - TLS certificates and keys - SSH keys - Other important data such as the name of a database or internal server - Generic strings or binary content (up to 500 kb in size), _(*3)

Usage

Create the secret, using docker CLI, _(*4)

echo -n "This is a secret" | docker secret create my_secret_data -

Note the -n parameter with echo; this is necessary to suppress the trailing newline character. If you don't do this, your value is not correctly encoded., _(*5)

Mount it into container, this example is for docker-compose or docker stack deploy, _(*6)

version: "3.1"

services:
  app:
  ...
    secrets:
      - my_secret_data
...
secrets:
  my_secret_data:
    external: true

In development mode, you may use [file:] directive to use secrets without swarm:, _(*7)

secrets:
  my_secret_data:
    # for local development, use from local file
    file: my_secret_data.secret

Require the library, _(*8)

composer require glen/docker-secrets-provider

Map the secret in Pimple container, _(*9)

$app->register(new DockerSecretsProvider(array(
   'my_secret_data' => 'my.secret',
)));

This would make $app['my.secret'] read as "This is a secret", _(*10)

In case of nested structure ($app['option']['key']), the value can be callback, to allow assigning value to sub-keys., _(*11)

Here's example using saxulum/saxulum-doctrine-mongodb-odm-provider:, _(*12)

$this->register(new DockerSecretsProvider(array(
    'mongodb' => function ($secretReader, $app) {
        // make copy for later assignment,
        $options = $app['mongodb.options'];

        // make as function to avoid loading secret to memory before it's use is needed
        $app['mongodb.options'] = function () use ($secretReader, $options, $app) {
            $options['options']['password'] = $secretReader();

            return $options;
        };
    },
)));

To avoid Indirect modification of overloaded element, the value needs to be made copy and assigned again:, _(*13)

// yields "Indirect modification of overloaded element" notice:
$app['mongodb.options']['options']['password'] = 'secret';

// workaround for above problem:
$options = $app['mongodb.options'];
$options['options']['password'] = 'secret';
$app['mongodb.options'] = $options;