My use case is that I have multiple express micro-services that use the same middleware and I would like to create a different repo in the format of an npm module for each middleware.
Every repo is a private repo and can have a deploy key attached (can be different keys or the same)
All of this works OK locally. However when I try to use this with my docker-compose setup it fails on the npm install step, in the build stage.
Dockerfile
FROM node:alpine
RUN npm install --production
CMD npm start
docker-compose.yml
services:
node-api:
build:
context: .
dockerfile: Dockerfile
I understand this doesn't work because I don't have the deploy key I use on my local system in the Docker context.
I've looked around for a solution and none seem very easy/non hacky
Copy the key in and squash (CONS: not sure how I do this in a docker-compose file)http://blog.cloud66.com/pulling-git-into-a-docker-image-without-leaving-ssh-keys-behind/
Copy the key in on the build step and add to image. (CONS: Not very secure :( )
Use the key as a build argument. (CONS: see 2)
Dockerise something like https://www.vaultproject.io/ run that up first, add the key and use that within the node containers to get the latest key. (CONS: probably lots of work, maybe other issues?)
Use Docker secrets and docker stack deploy and store the key in docker secrets (CON: docker stack deploy has no support for docker volumes yet. See here https://docs.docker.com/compose/bundles/#producing-a-bundle unsupported key 'volumes')
My question is what is the most secure possible solution that is automated (minimal manual steps for users of the file)? Time of implementation is less of a concern. I'm trying to avoid checking in any sensitive data while making it easy for other people to run this locally.
no support for volumes yet? because here: docs.docker.com/engine/swarm/secrets/#use-secrets-in-compose looks like they create volumes – Edwin