Skip to content

[User Story] Docker Secrets Integration #168

New issue
New issue
Open
Open
[User Story] Docker Secrets Integration#168
Assignees
noahwhite
Labels
User Story
@noahwhite

Description

@noahwhite
noahwhite
opened on Feb 18, 2026

Story Summary

As a DevOps Engineer, I want to mount RAM-backed secrets into the Ghost and MySQL containers using Docker's secrets feature, so that credentials are not visible in docker inspect or environment logs.

Phase: 2 - Secure Application Bootstrapping

✅ Acceptance Criteria

  • docker-compose.yml updated to use secrets from /run/ghost/secrets/
  • Ghost container uses *_FILE environment variable suffix pattern
  • MySQL container uses *_FILE environment variable suffix pattern
  • Containers successfully establish database connection using injected secrets
  • Secrets NOT visible in docker inspect output
  • Secrets NOT visible in container environment (docker exec env)
  • .env.secrets file eliminated from block storage

📝 Additional Context

Docker Secrets Pattern

Docker supports reading secrets from files using the _FILE suffix convention:

# docker-compose.yml
services:
  ghost:
    image: ghost:5
    environment:
      database__connection__password_FILE: /run/secrets/mysql_password
      mail__options__auth__pass_FILE: /run/secrets/ghost_mail_password
    secrets:
      - mysql_password
      - ghost_mail_password

  mysql:
    image: mysql:8
    environment:
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/mysql_root_password
      MYSQL_PASSWORD_FILE: /run/secrets/mysql_password
    secrets:
      - mysql_root_password
      - mysql_password

secrets:
  mysql_root_password:
    file: /run/ghost/secrets/mysql_root_password
  mysql_password:
    file: /run/ghost/secrets/mysql_password
  ghost_mail_password:
    file: /run/ghost/secrets/ghost_mail_password

Security Comparison

Method docker inspect docker exec env Disk Storage
Environment vars ⚠️ Visible ⚠️ Visible ⚠️ In compose file
Docker secrets (file) ✅ Hidden ✅ Hidden ✅ tmpfs only

Secrets to Migrate

Current Location Secret New Location
.env.secrets DATABASE_PASSWORD /run/ghost/secrets/mysql_password
.env.secrets DATABASE_ROOT_PASSWORD /run/ghost/secrets/mysql_root_password
.env.secrets mail__options__auth__pass /run/ghost/secrets/ghost_mail_password
.env.secrets HEALTH_CHECK_TOKEN /run/ghost/secrets/health_check_token

Ghost _FILE Support

Ghost supports the _FILE suffix for database and mail credentials. Verify support for:

  • database__connection__password_FILE
  • mail__options__auth__pass_FILE

If Ghost doesn't support _FILE natively, use an entrypoint wrapper script.

Dependencies

  • GHO-68: Secrets must be in /run/ghost/secrets/ first

📦 Definition of Ready

  • Acceptance criteria defined
  • Blocked by GHO-68 (RAM-backed secrets delivery)
  • Story is estimated
  • Team has necessary skills and access
  • Priority is clear
  • Business value understood

✅ Definition of Done

  • All acceptance criteria met
  • Ghost connects to MySQL successfully
  • Ghost sends mail successfully (if configured)
  • docker inspect shows no credentials
  • .env.secrets file removed from /var/mnt/storage/ghost-compose/
  • Documentation updated

Metadata

Metadata

Assignees

Labels

User Story

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions