You can't... It does not support secrets without Swarm.
Unless ''may be'' you ''Swarm'' using only one node.
The other solution would be, I think to use a third party vault software like this one:
https://www.vaultproject.io/
But then, to use the secrets in your containers from Vault, you would need to read the doc.
Hope this bring you to the right path to start.
Basic template for Docker Swarm with Traefik 2.4, domain-based routing, regular SSL and scalable web-app, all on bare metal servers.
Traefik will be run on all master nodes, directly listening on host's port 0.0.0.0:80 and 0.0.0.0:443. http is upgraded to https, web-apps are started on worker nodes and will be automatically registered with their domain. Then Traefik will load balanced all incoming requests and forward them to the matching worker containers.
Note that this is NOT a failover solution. You need to have a load balancer in front of this setup or a floating IP which you can switch over if a server fails.
Requirements: Setup a docker swarm, this is out of scope here. Every Docker Swarm master node Traefik is running on needs a local folder with the config.yml and SSL certificate. Alternatively you can use a Docker volume, which can be a remote NFS mount.
traefik.yml
version: '3.8'
services:
traefik:
image: traefik:v2.4
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
command:
- --providers.docker.swarmMode=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --providers.file.filename=/data/traefik/config.yml
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.websecure.address=:443
- --accesslog
- --log.level=info
environment:
- TZ=Europe/Berlin
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/traefik:/data/traefik
networks:
- proxy
deploy:
mode: global
placement:
constraints:
- node.role == manager
networks:
proxy:
external: true
config.yml, volume from local folder, SSL certificate settings NEED to be in a separate file
tls:
certificates:
- certFile: /data/traefik/certs/wildcard.crt
keyFile: /data/traefik/certs/wildcard.key
- certFile: /data/traefik/certs/another-certificate.crt
keyFile: /data/traefik/certs/another-certificate.key
stores:
default:
defaultCertificate:
certFile: /data/traefik/certs/wildcard.crt
keyFile: /data/traefik/certs/wildcard.key
Command line, start your engines :-)
# create network (just once)
docker network create --driver=overlay proxy
# start traefik via traefic.yml
docker stack deploy --compose-file traefik.yml traefik
# start a web-app with its domain name
docker service create \
--replicas 15 \
--name web-app \
--constraint node.role!=manager \
--network proxy \
--label traefik.enable=true \
--label 'traefik.http.routers.traefik.rule=Host(`app.doma.in`)' \
--label traefik.http.routers.traefik.entrypoints=websecure \
--label traefik.http.routers.traefik.tls=true \
--label traefik.http.services.hostname.loadbalancer.server.port=80 \
nginxdemos/hello
You can reduce the log.level (or remove it completely), also the accesslog can be removed. Alternatively it is possible to log those two types into two different files. Traefik dashboard is still missing in this config.
For better security you can use docker-socket-proxy which @webjocky describes in his pastebin in this discussion.
Best Answer
As stated here https://github.com/docker-library/docs/blob/master/postgres/README.md you may use swarm secrets in postgres service when if you add _FILE suffix like:
If you ask about generic solution for any service, it's not possible without creating container or service, which exposes passwords in clear text (say Nginx which reads passwords from files that are secrets)