I am new to quarkus and Docker and so this may be a simple question, but unfortunately the documentation did not help me here.
My quarkus microservice, which is compiled to a native executable and then to a docker image, needs to use secrets.
I followed this documentation: https://quarkus.io/guides/config-secrets
Especially the KeyStore part. Now the part of information that is missing there is where the keystore file is supposed to be. I guessed that they assume it is in the root directory of the quarkus project, given that the configuration:
smallrye.config.source.keystore."properties".path=properties
Only gives "properties" as a path for that.
And it does indeed work if you put your keystore file (called properties) into the root of your project.
But it seems to me that this keystore-file is build into the docker image when you follow the instructions to build the native executable
quarkus build --native --no-tests -Dquarkus.native.container-build=true -DDquarkus.container-image.build=true
and the docker image afterwards.
docker build -f src/main/docker/Dockerfile.native-micro -t quarkus/keystore-test .
Now I do not want to store my secrets "hardcoded" in my docker image.
So how can I tell quarkus that the keystore file will be provided to the container at a specific location at runtime? I already tried to set
smallrye.config.source.keystore."properties".path=/some/local/path
to some path outside of the quarkus project. It does work and it compiles, but again it seems like the keystore file is within the image, because after removing the keystore file from that location and restarting the container, the application still knows the values form the keystore file.
So how do we provide an external Keystore-File, which the container picks up on startup?
Ok, after more reading up about docker and fiddling around, I found something that works.
In my application.properties file, I specify some made up path which does not exist on the host:
smallrye.config.source.keystore."properties".path=/my/made/up/path/properties.jks
Then I build the native executable and the docker image as usual. If I start it up now like suggested by the documentation within the resulting Dockerfile (src/main/docker/Dockerfile.native-micro)
docker run -i --rm -p 8080:8080 quarkus/keystore-test
I get an error as I would expect
Failed to load config value of type class java.lang.String for: my.secret
Now when I pass a volume mount when starting the docker container like this
docker run -v /actual/path/on/your/host/properties.jks:/my/made/up/path/properties.jks -i --rm -p 8080:8080 quarkus/keystore-test
The container picks it up and quarkus has access to it. If I remove "/actual/path/on/your/host/properties.jks" and restart the container, it fails as expected.
But I think this stuff can be part of the Docker file and so there is probably some convenient way how to do this "the quarkus way". Maybe not.
This at least works. More answers are still appreciated though.