One of the most delicate things when deploying an application is managing its secrets. In Portus you have two options:
- Environment variables: you can set environment variables directly into
docker-compose.ymlfile, or the manifest you might be using. This has some downsides (e.g. it does not allow secrets rotation). For this reason, some container orchestrators like Kubernetes can manage secrets for you, and then store them in environment variables transparently. You can read more about Kubernetes secrets here (and this section talks about setting environment variables with secrets).
- Files: the other option is to simply have files for each
secret. Orchestrators like Docker Swarm, Kubernetes, etc. support this
workflow. In Portus we accomodate this a bit, and for some environment
PORTUS_LDAP_AUTHENTICATION_PASSWORD) we support a special syntax: you can add the
_FILEsuffix to it to indicate the path of the secret. So, for example,
PORTUS_DB_PASSWORD_FILEwould indicate the path of the secret for the database password.
Note well: all these secrets are loaded during initialization. Hence, if you want to update any of them, you will have to restart Portus.