Best practices for certificates in docker

Question

If I have a docker application (J2EE web applications) meeting the following conditions:

• there are multiple containers to be deployed (from the same image) on separate hosts which will then communicate with each other over SSL/TLS - so the containers would need their own SSL certificates, and need to trust the certificates of the other containers
• these containers will additionally make HTTPS calls to other external URLs - so the certificates of these servers also need to be trusted. These external URL are not known at deployment time, so the certificates need to be imported separately
• the application being a J2EE web application uses java keystore and truststore for the certificates

Given this, how should the certificates be made available to the servers?

Answer 1

Update: 2018-02

Docker Swarm allows secrets keeping. https://docs.docker.com/engine/swarm/secrets/ This is however not supported in non Swarm deployments. One hacky way to get around this is to deploy to only 1 node as a Swarm.

Previous answer:

Docker doesn't currently have a way to handle secrets (it's on their road map). There's a long running thread over at Docker. It lists many ways that people use to import secrets into containers. https://github.com/docker/docker/issues/13490

Some people use HashiCorp's Vault, others encrypt secrets on the host (env vars) or in a docker volume (that's what my team does). Containers can decrypt them when they are started (ENTRYPOINT/COMMAND). To add secrets at run time, you can create a custom container that does just that (accepts a http request and store it in a truststore). Just a suggestion amongst many that you'll see in the link above.