Docker Secrets Management is a tool within Docker Swarm Mode that allows for management of application secrets including passwords, API keys, certificates, and more, from within Docker Swarm. These secrets are mounted into a container using a TMPFS mount to /run/secrets. Docker Secrets handles replication and high availability of secrets by securely replicating data across Swarm Managers. Docker Swarm leverages its built-in PKI infrastructure and the secure substrate to do much of the heavy security lifting for teams. While this often piques the interest of operations and security teams, it goes against storing configuration in environment variables outlined in the 12 Factor App mantra.

At ETA, we rely heavily on Node.js not only because of its scalability, but also the agility it gives us to rapidly develop products. With experience writing numerous applications and utilities using Node.js, I’ve always found it difficult to utilize Docker Secrets in a manner that adheres to common Node.js design patterns. We set out to simplfy the process of pulling in mounted secrets and exposing them to traditional Node.js tooling. As a result, the docker-secrets module was born. The module loops through secrets mounted inside the container and generates an object with the filename as the key and the contents of the file as the data.

Installation

1
npm install docker-secrets --save

Usage

Run a container on the swarm with db_user and db_pass secrets mounted. Inside the container the secrets will be mounted as files as follows:

  • /run/secrets/db_user -> username
  • /run/secrets/db_pass -> password

Within the Node.js application, load the docker-secrets module and it will automatically pull in the secrets attached to the container.

1
2
3
4
5
6
7
8
9
10
'use strict';

const secrets = require('docker-secrets');

// security note: this is for demo purposes, it is not recommended to log secrets ever!
console.log(secrets);
// {
//     "db_user": "username",
//     "db_pass": "password"
// }

Contribute

In the future, we look to integrate with popular tools such as Convict and other configuration tools in the Node.js ecosystem. Check out some other great tools from the ETA team such as harbor-master and Mullet. If you have any questions, concerns, or feedback feel free to file an issue or a PR on the repository!