How to use secrets the right way

But what makes that ok to ignore a best practice? Baking secrets into an image is bad for several reasons foremost in my mind is that you can mount the image and read the secret from anywhere it is loaded, including developer machines. And if that image ever leaks by any other means, you've got a secret out in the wild. Not to mention that it's now a shared secret which has a whole slew of other potential issues.

I would not run it this way in my shop, ever. Heck, I wouldn't run it this way at home, either. It's just reinforcing a bad habit and secret sprawl. Use the secret tooling that your orchestration provides, and if it doesn't, use environment variables and .env files that are not kept in version control.

/r/docker Thread Parent