如何在保持变量秘密的同时对 .env 文件进行 dockerize?我有一个 .env 文件被 .gitignore 和 .dockerignore 隐藏。我有一个被 .gitignore 和 .dockerignore 隐藏的 .env 文件。我尝试使用通过 docker-compose 访问该文件的卷,但只有当我从 .dockerignore 中删除 .env 时才有效。我还尝试将我的变量存储在 GitHub Actions 密钥中,并通过 env: USE: ${{ Secrets.USE }} 访问它们,根本不需要 docker-compose,但这也不起作用。
有点摸不着头脑(更像是通过屏幕猛击它)。如果程序需要它们运行,您应该如何保守这些秘密?最终,我希望 GitHub Actions 能够通过推送来处理 Docker 编译和部署到 AWS,但目前很难让 Docker 正常工作..
谢谢!
name: Docker Deployment
on:
push:
branches:
- "main"
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
- name: Pull Docker Image
run: |
docker pull user/site:latest
- name: Run Docker Container
env:
USE: ${{ secrets.USE }}
PASSWORD: ${{ secrets.PASSWORD }}
DISCORDWIDGET: ${{ secrets.DISCORDWIDGET }}
email: ${{ secrets.email }}
email_password: ${{ secrets.email_password }}
TOKEN: ${{ secrets.TOKEN }}
JENN_ID: ${{ secrets.JENN_ID }}
MAKI_ID: ${{ secrets.MAKI_ID }}
STRIKE_ID: ${{ secrets.STRIKE_ID }}
SONO_ID: ${{ secrets.SONO_ID }}
TAV_ID: ${{ secrets.TAV_ID }}
DAVID_ID: ${{ secrets.DAVID_ID }}
AMAZE_ID: ${{ secrets.AMAZE_ID }}
TOAST_ID: ${{ secrets.TOAST_ID }}
SERVER_ID: ${{ secrets.SERVER_ID }}
run: |
docker run -d \
-e USE="$USE" \
-e PASSWORD="$PASSWORD" \
-e DISCORDWIDGET="$DISCORDWIDGET" \
-e email="$email" \
-e email_password="$email_password" \
-e TOKEN="$TOKEN" \
-e JENN_ID="$JENN_ID" \
-e MAKI_ID="$MAKI_ID" \
-e STRIKE_ID="$STRIKE_ID" \
-e SONO_ID="$SONO_ID" \
-e TAV_ID="$TAV_ID" \
-e DAVID_ID="$DAVID_ID" \
-e AMAZE_ID="$AMAZE_ID" \
-e TOAST_ID="$TOAST_ID" \
-e SERVER_ID="$SERVER_ID" \
user/site:latest
您可以使用hashicorpVault和Vault代理。 将您的秘密存储在保险库中:
vault kv put kv/docker/static \
USE=user \
PASSWORD=pass \
DISCORDWIDGET=warever \
[email protected] \
email_password=mypass \
TOKEN=my tocken \
JENN_ID=myid \
然后Vault代理将使用模板secrets.tpl生成一个.env文件:
{{ with secret "kv/docker/static" -}}
USE={{.Data.data.USE}}
PASSWORD={{.Data.data.PASSWORD}}
DISCORDWIDGET={{.Data.data.DISCORDWIDGET}}
email={{.Data.data.email}}
email_password={{.Data.data.email_password}}
TOKEN={{.Data.data.TOKEN}}
JENN_ID={{.Data.data.JENN_ID}}
{{- end }}
使用配置文件:
pid_file = "./pidfile"
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/vault-agent/django-role_id"
secret_id_file_path = "/vault-agent/django-secret_id"
remove_secret_id_file_after_reading = false
}
}
sink {
type = "file"
config = {
path = "/vault-agent/token"
}
}
}
template {
source = "/vault-agent/secrets.tpl"
destination = "/usr/share/docker/secrets/.env"
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
有关更多详细信息,hashicorpVault 文档: https://developer.hashicorp.com/vault/docs/what-is-vault
这是一个关于如何将其与 docker compose 一起使用的很好的示例: https://github.com/yaroshhh/vault-agent-docker/tree/master 祝你好运