I got this to work! So regarding secrets, do we want to avoid secrets being in the Docker image?
Right now in my Dockerfile I’ve got this:
# This is a default line
RUN gem install -N bundler -v ${BUNDLER_VERSION}
# I added this line, which will write a file to ~/.bundle/config
RUN --mount=type=secret,id=BUNDLE_ENTERPRISE__CONTRIBSYS__COM \
bundle config enterprise.contribsys.com $(cat /run/secrets/BUNDLE_ENTERPRISE__CONTRIBSYS__COM)
# This is a default line
COPY Gemfile* ./
# This is a default line, bundle config gets used here
RUN bundle install && rm -rf vendor/bundle/ruby/*/cache
# I added this line, as my Rails initializers use Rails Credentials,
# and precompiling boots the app and runs the initializers.
RUN --mount=type=secret,id=RAILS_MASTER_KEY \
cat /run/secrets/RAILS_MASTER_KEY > config/credentials/${RAILS_ENV}.key
# This is a default line
RUN bundle exec rails assets:precompile
Is it bad to keep the ~/.bundle/config
file (which includes my Sidekiq enterprise key), and config/credentials/production.key
in the image, copied from the secrets? Or should I be setting them as environment variables instead?
Bundler does support setting a BUNDLE_ENTERPRISE__CONTRIBSYS__COM
environment variable, and Rails supports the RAILS_MASTER_KEY
environment variable.
The Build Secrets · Fly Docs page says:
RUN --mount=type=secret,id=MY_SUPER_SECRET \
MY_SUPER_SECRET="$(cat /run/secrets/MY_SUPER_SECRET)" some_command \
&& more_commands_maybe
If I then do another line of RUN echo $MY_SUPER_SECRET
, would I see that, or do I need to mount the secret in every command that needs it?
I’m trying to keep the setup simple. I plan to use GitHub Actions to deploy, and store my secrets in GitHub Actions, and make GitHub Actions run:
fly deploy --remote-only -c fly.toml \
--build-secret BUNDLE_ENTERPRISE__CONTRIBSYS__COM="qwerty123"
--build-secret RAILS_MASTER_KEY="abcdef"
If I do this, I don’t need to do this too:
fly secrets set RAILS_MASTER_KEY="abcdef"
fly secrets set BUNDLE_ENTERPRISE__CONTRIBSYS__COM="qwerty123"
Though maybe I should?