Securely add environment variables to Dockerfile

Environment variables in Flightcontrol

Flightcontrol deals with all secrets as environment variables. By default all secrets and environment variables are injected to the application during both build and runtime. However, if you want to have more control over the secrets injected into your custom Dockerfile, you achieve that by setting the configuration parameter injectEnvVariablesInDockerfile to false.

This parameter applies only to Custom Dockerfile build type.

Once this parameter is set to false, you will have full control over which environment variables are used in the build. All environment variables will be made available using Docker build secrets (opens in a new tab). This means none of the environment variables will be available in the resulting image, and it will allow to run specific steps using specific secret, for example database migration using database connection string, without leaking this sensitive information in the resulting image.

Accessing environment variable as Docker build secret

In order to access any environment variable as Docker secret you need to adjust your Dockerfile as the following example. Assuming you have a node application with prisma that requires DATABASE_URL as connection string.

RUN --mount=type=secret,id=DATABASE_URL \
    DATABASE_URL=$(cat /run/secrets/DATABASE_URL) \
    pnpm prisma db migrate

By default, Flightcontrol makes the evnironment variable available with an id with the environment variable name, and the value availble under /run/secrets/<environment variable name>.