amerkurev
commented
1 year ago Hi @shariq1989! Thanks for asking! Let me tell you how I handle secrets. It really depends on the situation.
For small or pet projects, I usually just store secrets in an .env file. Docker lets you split settings between different env files, like .env.ci, .env.dev, .env.prod, etc. Just make sure to exclude env files with sensitive data (secrets) from Git tracking (.gitignore).
For more flexibility, I might deploy Vault from HashiCorp within the infrastructure. This way, secrets are accessed through an API instead of environment variables. Here's an example: https://github.com/hashicorp/vault-examples/blob/main/examples/_quick-start/python/example.py. You'll need to modify your settings.py, but that's no big deal. django-docker-template is just a starting point, you can customize it however you like.
For larger projects (with multiple Docker hosts), I use Docker Swarm. Secret support is built-in: https://docs.docker.com/engine/swarm/secrets/.
There are different ways to work with secrets, but the most important thing is to keep them secure. Everything else is just a matter of convenience.
shariq1989
Hi! I appreciate you putting this together and publishing it. I am going to prod with a new site using this. I typically use env files in local and prod that are not checked in to git. I prevent this by adding all .en* files to gitignore. How are you handling secrets? I wish your project was a little more opinionated on this. If I overwrite the settings in .env, i would have to handle them not getting updated when I pull changes into prod. If I create a new .env-prod file that is not checked in to git, I would have to update references to the existing .env file with something like "if SETTINGS.DEBUG use .env else use .env-prod". Am I missing something?