Suggestions on keeping secrets out of Dockerfiles

Hi,

After reviewing the steps here (Running Keycloak in a container - Keycloak) and getting my Keycloak container to run properly with a custom provider, I’ve been trying to figure out a way to remove credentials from the Dockerfile using various means (secret mounts etc) but have been struggling to get an actual working configuration. Wondering if anyone has example approaches and preferably a Dockerfile for a working KC image that doesn’t contain secrets embedded as environment variables.

Thanks!
Walter

What is your runtime? Are you running in Kubernetes? Docker on bare metal?

Your secrets can be specified as environment variables outside of your Dockerfile, but how you set that up will depend on your specific environment.

Caveat: Docker novice here;)

I’m just running Docker on bare metal. I see what you mean in that the variables that are being passed in the example Dockerfile are being used by the build process but if they can all be passed at runtime to start the server then maybe I don’t need to include those variables in the docker file itself?

Check in the relevant options section which ones are build options and which ones can be provided at runtime. But no secret is a build option.

Ok thank you! Rereading the docs I see that secrets are set directly in the dockerfile during build for optimized images but for mutable images they are passed as environment variables.

This isn’t the best example. Probably it just intends to get you started but not really a good practice.
You can have build optiimized images while still passing secrets as environment variables (look at the little tool icon next to some config properties, such as the db).

Thank you @ThoreKr and @xgp; I got my optimized image working as expected by removing the environment variables from the example Dockerfile and just passing them as environment variables to docker run command. Your questions helped point me in the right direction.

3 Likes