Have you investigated Docker Secrets instead of less secure Environment Variables?
espoelstra opened this issue · comments
It requires a bit of refactoring to have the Groovy look to the /run/secrets/secret-name
paths, and running docker swarm init
and then you need to pre-populate the secrets with docker secret create secret-name file-with-secret
or cat ~/.aws/credentials | docker secret create aws-credentials -
or echo $(gopass show -o root/my/secret/account) | docker secret create my-secret-account -
.
I've been playing with this a bit myself and other than requiring docker stack deploy my-stack-name --compose-file=docker-compose.yml
and docker service logs -f my-stack-name_projectname
(projectname aka foldername), it works pretty similarly to a regular Docker Compose setup.
I ended up also using a local registry so I could docker-compose build && docker compose push
to the local registry, and then have the docker stack deploy
pull from it with localhost:5000/my-jenkins-docker:latest
. This is mostly so that I could just re-deploy if I had to change the Dockerfile instead of docker stack rm my-stack-name
and then spinning the whole thing up again.
Overall the biggest pain comes if you start trying to do docker-in-docker
as you have to create a mirror of the container's working directories for any volumes you want to pass into inner containers.