1 00:00:04,550 --> 00:00:09,160 What about secrets for local development using the Docker Compose command line. We've been talking about 2 00:00:09,160 --> 00:00:10,200 Swarm up until now. 3 00:00:10,210 --> 00:00:15,010 But I'm back on my machine, and I've got Docker Compose installed which I did not have in my swarm, 4 00:00:15,010 --> 00:00:15,350 right? 5 00:00:15,370 --> 00:00:17,410 Because again, Compose is not a production tool. 6 00:00:17,410 --> 00:00:19,310 It's designed for development. 7 00:00:19,310 --> 00:00:22,050 I'm in the same secret sample directory we had before. 8 00:00:22,060 --> 00:00:27,280 You can see that I have the two password files, and the Docker Compose file that we had in the swarm. Just 9 00:00:27,280 --> 00:00:28,840 to prove that I'm not in a swarm, 10 00:00:28,840 --> 00:00:30,440 I can do a docker node 11 00:00:30,480 --> 00:00:33,300 ls, and it will actually tell me this is not a swarm manager. 12 00:00:33,300 --> 00:00:38,670 I'm not in a swarm, so I don't have access to the Swarm database or the ability to put secrets in it. 13 00:00:38,680 --> 00:00:40,550 So, how do we deal with this in local development? 14 00:00:40,630 --> 00:00:43,420 Ideally, we can still use the same Compose file. 15 00:00:43,420 --> 00:00:48,020 We can still use the same objects like the environment variables for postgres. 16 00:00:48,140 --> 00:00:52,800 Docker had to come up with a way to make this work in test and dev. 17 00:00:53,140 --> 00:00:55,840 If we do a docker compose up -d, 18 00:00:59,840 --> 00:01:11,030 and then we did a docker compose exec psql. Then did a cat on run secrets 19 00:01:11,330 --> 00:01:16,320 psql user, how did our secret get in there, right? 20 00:01:16,320 --> 00:01:17,960 Because we don't have the database. 21 00:01:18,000 --> 00:01:20,760 Well, it turns out there's a little bit of magic here. 22 00:01:20,790 --> 00:01:25,950 Well it's not magic. It's just hiding behind the scenes, that what's actually happening with Compose is 23 00:01:25,950 --> 00:01:28,810 not secure, but it does work. 24 00:01:28,830 --> 00:01:35,640 It basically bind mounts at runtime that actual file on my hard drive into the container. 25 00:01:35,640 --> 00:01:40,820 It's really just doing a -v with that particular file in the background. 26 00:01:40,830 --> 00:01:43,780 Again, this is totally not secure and it's not supposed to be. 27 00:01:43,800 --> 00:01:49,410 It's just a way to get around this problem and allow us to develop with the same process and the same 28 00:01:49,410 --> 00:01:54,750 environment variable secret information that we would have in production, only now we can do it locally 29 00:01:54,750 --> 00:02:00,720 too. Which is great because now that means we can develop using the same launch scripts and the same 30 00:02:00,720 --> 00:02:04,850 way we get environment variables into our container just like we would in Swarm. 31 00:02:04,980 --> 00:02:06,090 And that's what we really want. 32 00:02:06,090 --> 00:02:10,490 We want to match our production environment as much as we possibly can locally. 33 00:02:10,590 --> 00:02:12,650 You need the latest version of Docker Compose to do this. 34 00:02:12,650 --> 00:02:16,210 I believe it only works in Docker Compose 11. 35 00:02:16,430 --> 00:02:20,630 I hope you think that's pretty cool because I thought that was a good compromise for them to make 36 00:02:20,630 --> 00:02:23,570 in order to let us use the Secret commands. 37 00:02:23,600 --> 00:02:27,290 Now I will point out this only works with file-based secrets. 38 00:02:27,290 --> 00:02:30,640 It will not work with the external that we talked about. 39 00:02:30,650 --> 00:02:37,060 If we look at the Compose file real quick, I would have to use file-based ones for my local development. 40 00:02:37,220 --> 00:02:42,530 Maybe if you're using external in your production, you just might have to have a different Compose 41 00:02:42,530 --> 00:02:49,610 file for development that would have the file attribute here and specify sample, dummy files in the 42 00:02:49,610 --> 00:02:54,450 same directory or somewhere else you might store them, that are just using simple password for development.