Docker has an authentication problem. When you build a docker, you don't want to include authentication information to external resources in the docker itself, but you need to be able to provide that information easily at runtime. Some people advocate for using a vault api and retrieving credentials from an external service; that may work, but there is a bit of a chicken and egg problem there (how do you authenticate to the vault?) and not all applications support that. I'm thinking in particular of Tomcat, which requires authentication information in server.xml for realms that connect to external databases, and in each webapp's context configuration (eg, ROOT.xml) for the same situation. How to pass those in at runtime when they are large and complex files?
The best workable solution appears to be passing them in as environment variables on the docker command line, and running sed in your docker entrypoint to do a search and replace within your configuration files. You can do that using the username, password, and driver name easily. The database url will need some escape characters so you may choose to leave it intact or replace it in pieces. You'll have to write a small script to do this at startup time within the docker and remember to pass the environment variables into docker each time you run it (ie, another script).
This seems workable and secure so long as no one else can access your running docker container. There are potential flaws if your docker containers are running in the cloud, so there's room for improvement, but if you are using Tomcat to begin with, those configuration files are sitting on the docker filesystem already.
Another option would be to load the tomcat configuration entirely from an external disk, using a volume. That's certainly convenient and seems to work, when running on a local server within docker, even if not ideal for a cloud deployment.
This entry was published Wed Oct 23 03:59:09 CDT 2019 by Matthew
and last updated 2019-10-22 01:34:01.0.
Note: Comments are currently moderated and will not appear immediately.