If I have a docker application (J2EE web applications) meeting the following conditions:
Given this, how should the certificates be made available to the servers?
Update: 2018-02
Docker Swarm allows secrets keeping. https://docs.docker.com/engine/swarm/secrets/ This is however not supported in non Swarm deployments. One hacky way to get around this is to deploy to only 1 node as a Swarm.
Previous answer:
Docker doesn't currently have a way to handle secrets (it's on their road map). There's a long running thread over at Docker. It lists many ways that people use to import secrets into containers. https://github.com/docker/docker/issues/13490
Some people use HashiCorp's Vault, others encrypt secrets on the host (env vars) or in a docker volume (that's what my team does). Containers can decrypt them when they are started (ENTRYPOINT/COMMAND). To add secrets at run time, you can create a custom container that does just that (accepts a http request and store it in a truststore). Just a suggestion amongst many that you'll see in the link above.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With