Containust/examples/secrets_example.ctst at main · RemiPelloux/Containust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
// Secret injection patterns.
//
// Secrets are referenced with ${secret.name} and resolved at deploy time.
// Resolution order:
//   1. Host environment variable: CONTAINUST_SECRET_<NAME> (uppercased)
//   2. Secret file: /run/containust/secrets/<name> (mode 0400)
//   3. If neither exists, deployment fails with an actionable error.
//
// Secrets are NEVER written to state.json or logged.

COMPONENT api {
    image    = "file:///opt/images/myapp-api"
    port     = 8080
    memory   = "256MiB"
    readonly = true
    env      = {
        DATABASE_URL   = "postgres://${db.host}:${db.port}/app"
        JWT_SECRET     = "${secret.jwt_signing_key}"
        STRIPE_API_KEY = "${secret.stripe_key}"
    }
    restart = "on-failure"
}

COMPONENT db {
    image    = "file:///opt/images/postgres-16"
    port     = 5432
    memory   = "512MiB"
    volume   = "/data/secrets-demo:/var/lib/postgresql/data"
    readonly = false
    env      = {
        POSTGRES_PASSWORD = "${secret.db_password}"
    }
}

// TLS termination proxy with certificate and key from secrets.
COMPONENT tls_proxy {
    image    = "file:///opt/images/nginx-1.25"
    port     = 443
    memory   = "64MiB"
    readonly = true
    restart  = "always"
    env      = {
        TLS_CERT_PEM = "${secret.tls_cert}"
        TLS_KEY_PEM  = "${secret.tls_key}"
    }
}

CONNECT tls_proxy -> api
CONNECT api       -> db

EXPOSE 443