Docker Swarm Series: #6th Managing config and secret objects

mohamedeleraki

Mohamed El Eraky

Posted on July 18, 2023

Docker Swarm Series: #6th Managing config and secret objects

Inception

Hello everyone, This article is part of The Swarm series, The knowledge in this series is built in sequence, Check out The Swarm series.

In the last article, we covered the way of troubleshooting and find out how to find the exact issue and fix it, using Docker CLI, And Play-with-docker lab.


Overview

In This article, We will complete The Swarm tutorials by explaining how to use and manage config objects and how to store secrets securely and use them in your deployment. in this lab Also will use the Play-with-docker lab.


Docker Config Overview

In Fact, The Config object is a file that stores some configs that you want to share among multiple container services, This config file can store any type of data (e.g. JSON, Key value, XML)

The value behind the usage of the config file is to ensure consistency across all the services and containers that use the same configuration data. This helps to avoid configuration errors and reduces the risk of downtime, Surface the docker config Docs.


Docker Secret Overview

Secrets are almost exactly like config, "Secrets are encrypted throughout their lifetime in the cluster. The data is stored encrypted in the database shared by the managers, and secrets are only delivered to nodes that are scheduled to run replicas that need the secret. Secrets are encrypted in transit from the manager node to the worker, and they are only unencrypted inside the container, where they appear with the original file contents."

"The key difference with secrets is that you can only read them in plain text at one point in the workflow: inside the container when they are loaded from the Swarm."

-Docker in a month of lunches-


Deployment Example

In This example will deploy MongoDB and Mongo_Express container services and store the configs and secrets in external files and load them to the swarm database to ensure that the secret is secure and not appears in clear text, And will be using Play-with-Docker labs, Docker Swarm mode, Docker-compose file, config & secret files, and Docker CLI.

  • open Play-with-Docker labs, and create the below environment:



  • Create a config file object called mongo_config.txt that have the common configs including the username and the path to the password file.

    MONGO_INITDB_ROOT_USERNAME=admin
    MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_password
    
  • Create a secret object file with the MongoDB password called mongo_password.txt with the following content
supersecretpassword
Enter fullscreen mode Exit fullscreen mode



  • Create a secret object from the secret file created:

    $ docker secret create mongo_password mongo_password.txt
    



  • Create a config object from the config file created:

    docker config create mongo_config mongo_config.txt
    



  • Check the Secrets in the cluster

    docker secret ls
    



  • Check the config in the cluster

    docker config ls
    



  • inspect the secret with a pretty flag using the following:

    docker secret inspect --pretty mongo_password
    

note that the inspection doesn't print out the secret file content

  • inspect the config with a pretty flag using the following:

    docker config inspect --pretty mongo_config
    

note that the inspection print out the content of the config file due to the config file isn't secured as secrets.

  • Create a Docker Compose file called docker-compose.yml with the MongoDB and Mongo_Express services, and reference the config and secret objects.
version: "3.7"
services:
  mongo:
    image: mongo:4.4
    configs:
      - source: mongo_config
        target: /docker-entrypoint-initdb.d/mongo_config.txt
    environment:
      MONGO_INITDB_DATABASE: test
    secrets:
      - mongo_password
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == manager

  mongo-express:
    image: mongo-express:0.54
    ports:
      - "8081:8081"
    environment:
      ME_CONFIG_MONGODB_ADMINUSERNAME_FILE: /run/secrets/mongo_admin_username
      ME_CONFIG_MONGODB_ADMINPASSWORD_FILE: /run/secrets/mongo_password
      ME_CONFIG_MONGODB_SERVER: mongo
      ME_CONFIG_BASICAUTH_USERNAME_FILE: /run/secrets/me_username
      ME_CONFIG_BASICAUTH_PASSWORD_FILE: /run/secrets/me_password
    secrets:
      - mongo_password
      - mongo_admin_username
      - me_username
      - me_password
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == manager

secrets:
  mongo_password:
    external: true
  mongo_admin_username:
    external: true
  me_username:
    external: true
  me_password:
    external: true

configs:
  mongo_config:
    external: true
Enter fullscreen mode Exit fullscreen mode
  • Just an important hint, once you create the secret you cannot update it, So will deploy the other secrets that are mentioned in the YAML file as below:
echo "mongo_pass" | docker secret create me_password -
echo "mongo_user" | docker secret create me_username -
echo "admin" | docker secret create mongo_admin_username -
Enter fullscreen mode Exit fullscreen mode



  • Deploy the stack to the Swarm cluster using the following
$ docker stack deploy -c docker-compose.yml myapp
Enter fullscreen mode Exit fullscreen mode



  • Get Stack services

    docker stack ls
    



  • Get Stack services

    docker stack services myapp
    



  • More info about services

    docker stack ps myapp
    

As Cleared the container services up and running.


Steps summarization

  • Create a config object file.

  • Create a secret object file.

  • Create a secret object from the file content.

  • Create a config object from the file content.

  • list and inspect our config and secret and ensure that the secret is secured and does not appear as clear text.

  • Create a Docker-compose YAML file for the stack deployment.

  • Manually create the missing secrets due to once you create the secret you cannot update it.

  • Deploy the stack using the docker-compose YAML file and Docker CLI.

  • print out the deployed services and ensure the services are up and running.


References


That's it, Very straightforward, very fast๐Ÿš€. Hope this article inspired you and will appreciate your feedback. Thank you.

๐Ÿ’– ๐Ÿ’ช ๐Ÿ™… ๐Ÿšฉ
mohamedeleraki
Mohamed El Eraky

Posted on July 18, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

ยฉ TheLazy.dev

About