Docker Secrets

A simple library to load Docker secrets in a swarm cluster as a map.

Download

Gradle

repositories {
  jcenter()
}

dependencies {
  compile 'com.cars:docker-secrets:0.2.0'
}

Maven

<dependency>
  <groupId>com.cars</groupId>
  <artifactId>docker-secrets</artifactId>
  <version>0.2.0</version>
</dependency>

Usage

Docker secrets are availble to a container under /run/secrets/

Given the below secrets :

$ echo "test-secret1-value" | docker secret create test-secret1 -
$ echo "test-secret2-value" | docker secret create test-secret2 -
$ echo "test-secret3-value" | docker secret create test-secret3 -

To load all secrets :

Map<String, String> secrets = DockerSecrets.load();
System.out.println(secrets.get("test-secret1")) // test-secret1-value

Since secrets are files, you can have a secret created with a properties file syntax as below

//secret-file.txt
dbuser=readonly
dbpass=super-secret-password
apikey=very-secret-api-key

Create the secret using the file:

$ docker secret create test-secret secret-file.txt

Then to load that secret:

Map<String, String> secrets = DockerSecrets.loadFromFile("test-secret");
System.out.println(secrets.get("dbuser")) // readonly

Working with Spring framework

Here is an example of how a SecretsConfig will look like when using Spring framework. It uses profiles to work with secrets locally. So if you are just testing you application outside of Docker, you can still use the same code

Create a file under src/main/resource/config/secrets-file

//secrets-file
dbuser=readonly
dbpass=secret-pass

And use this @Configuration:

package com.cars.devops.config;

import java.io.File;
import java.net.URL;
import java.util.Collections;
import java.util.Map;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;

import com.cars.framework.secrets.DockerSecretLoadException;
import com.cars.framework.secrets.DockerSecrets;

@Configuration
public class SecretsConfig {

  //File under src/main/resources/config/
  private final String DEFAULT_SECRETS_FILE = "config/secrets-file";

  // This bean will be used in non-local or no profiles
  @Bean(name = "secrets")
  @Profile(value = "!local")
  public Map<String, String> secrets() {
    try {
      return DockerSecrets.loadFromFile("secrets-file");
    } catch (DockerSecretLoadException e) {
      System.out.println("Secrets Load failed : " + e.getMessage());
    }
    return Collections.emptyMap();
  }

  // This bean will be used for 'local' profile
  @Bean(name = "secrets")
  @Profile(value = "local")
  public Map<String, String> localSecrets() {
    try {
      URL url = ClassLoader.getSystemResource(DEFAULT_SECRETS_FILE);
      if (url != null) {
        return DockerSecrets.loadFromFile(new File(url.getPath()));
      } else {
        System.out.println("Secrets Load failed : No file at " + DEFAULT_SECRETS_FILE);
      }
    } catch (DockerSecretLoadException e) {
      System.out.println("Secrets Load failed : " + e.getMessage());
    }
    return Collections.emptyMap();
  }
}

Now you can run you application with the local profile :

$ java -Dspring.profiles.active=local -jar your.jar

Or if using Spring boot:

$ gradlew bootRun -Dspring.profiles.active=local

Use @Resource to reference the secrets bean in other beans/configs:

public class Application {

  @Resource(name = "secrets")
  private Map<String, String> secrets;

  // TODO Add your application beans here or use @Import as above

  @Bean
  public String somebean() {
    System.out.println("DBuser is : " + secrets.get("dbuser")); //should print readonly
    return "";
  }

  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }

}

Build

$ ./gradlew clean build

Test

$ ./gradlew clean test

License

Apache 2.0