Allow providing secrets by either file or environment without changing compose file #13145
Description
Description
I am creating a docker-compose.yml file which I would like to deploy at two different environments.
In one environment, I would like to provide secrets indirectly via a file. However, the second environment doesn't support the use of file to provide secrets or variables.
I therefore tried the following configuration:
secrets:
my_secret:
file: "${MY_SECRET_TOKEN_FILE}"
environment: MY_SECRET_TOKENThis results in the following error:
secrets.gitlab_runner_auth_token: file|environment attributes are mutually exclusive
I would have two alternative feature suggestions to cover this scenario:
Suggestion 1
Allow specifying both attributes (file and environment). Docker compose could then try both sources in sequence. If there is no file at the location specified by the file attribute, try the environment variable specified by environment.
Note that with the current implementation, "${MY_SECRET_TOKEN_FILE}" would be resolved as an empty string. An empty string is currently interpreted as a path to the directory containing the docker-compose.yml.
Suggestion 2
When environment: MY_SECRET_TOKEN is specified and the environment variable is not defined, docker compose could implicitly check if there is an environment variable named MY_SECRET_TOKEN_FILE.