docker-compose.ymlWhen deploying applications, certain pieces of information are highly sensitive: passwords, API keys, certificates, and so on.
You could put them in a file.envor in the configuration, but that’s not secure, especially if the file is versioned or shared.
Docker Kubernetes offers Secrets to securely store this information and inject it into containers without exposing it in configuration files.
Key Concept
- A SecretDockeris encrypted data thatDocker Kubernetes stores in its engine (Swarm).
- Containers can consume these secrets, but they cannot modify them, and they are never stored in plain text on disk.
Example: instead of putting
DB_PASSWORD=monmotdepassein a.env, we create a secretdb_passwordandDocker provides it directly to MariaDB at startup.
Simple example with DockerCompose (Swarm mode)
1. Create a secret from the CLI:
echo "MonSuperMotDePasse" | docker secret create db_password -
2. In yourdocker-compose.yml (Swarm mode):
version: '3.8'
services:
db:
image: mariadb
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_password
secrets:
- db_password
secrets:
db_password:
external: true
3. The MariaDB container reads the password from the file/run/secrets/db_password automatically provided by Docker.
📌 Key takeaway for beginners
- Secrets = secure sensitive data.
- They are mainly used for passwords, API keys, or certificates.
- They are inaccessible from the host and cannot be versioned in Git.
- This feature requiresDockerSwarm, but the underlying concept is still worth understanding even in simple mode.