14h • 💬 General discussion
The concept of NOT baking environment variables into a Docker image during build time.
I knew about using ARG for build-time variables and relying on a secret manager for runtime envs. But later I realized that even if we use a multi-stage Dockerfile and copy the entire build stage where ARG is used, the image can still end up with baked-in credentials.
This is harmful from a security perspective and started worrying me.
Then I learned about using --mount in the Dockerfile, which temporarily creates a secret file inside the container and allows passing secrets as an env file during build time, using the same id defined in the Dockerfile.
It works.
This feature is available with Docker BuildKit. Try it if you were unaware, like me.
2
0 comments
The concept of NOT baking environment variables into a Docker image during build time.
skool.com/mischa
Only for DevOps Engineers
Get hired to build the future
Use the Community, Blueprint and the KubeCraft Roadmap
Leaderboard (30-day)
1
+209
2
+174
3
+86
4
+84
5
+58
Powered by