Credentials#
File based Credentials#
- place credential in
/etc/credstoreor symlink there
Single Container#
- files from
/etc/credstorewill be available as podman secrets - Define in:
<instance>.container
- Access in Container:
/run/secrets/*cat /run/secrets/server.crt
Compose Container#
compose assumes docker in non swarm mode, which does not support secrets,therfore external secrets are not working. To configure local secrets credentials are configured in a systemd service dropin, that docker can pick up the credentials as local defined secrets.
- Definition in
compose@<instance>.service.d/*.conf
-
Defaults
- root_bundle.crt, root_ca.crt are already imported
-
Define in:
compose.yml
secrets:
server.crt:
file: ${CREDENTIALS_DIRECTORY}/server.crt
services:
backend:
secrets:
- source: server.crt
- Access
- outside container:
$CREDENTIALS_DIRECTORY/*cat "$CREDENTIALS_DIRECTORY/server.crt"
- inside container:
/run/secrets/*cat "/run/secrets/server.crt"
- outside container:
Nspawn Machine#
- Define in:
systemd-nspawn@<instance>.service.d/*.conf
- Defaults
- root_bundle.crt, root_ca.crt are already imported
- Access:
$CREDENTIALS_DIRECTORY/*cat "$CREDENTIALS_DIRECTORY/server.crt"
Accessing Credentials as environment variable#
Secrets can also be exposed as environment variables to workloads using systemd’s LoadCredential feature in service drop-in configuration files.
- Create the credential file in
/etc/credstore/mysecret.envwith the following format:
Single Container#
- Define in:
<instance>.container
- The secret will be available as an environment variable inside the container.
Compose Container#
- Define in:
compose@<instance>.service.d/*.conf
- The secret will be available as an environment variable inside the container.
Nspawn Machine#
- Define in:
systemd-nspawn@<instance>.service.d/*.conf
- The secret will be available as an environment variable inside the nspawn machine.