Secrets, Environment, and Configuration
The same image must run in dev, staging, and production — but the passwords and keys differ in each environment, and must never enter the image. In this lesson we distinguish ARG, which exists only at build time, from ENV, which persists into the image and at runtime. We see why a secret written int
Configuration is like a recipe card you can share with everyone. A secret is like your house key — you never tape it to the recipe and hand it out to all.
- ARG
- A value available only during the image build. Once the build ends it disappears and does not exist at runtime. Useful for build parameters, not for config needed at runtime.
- ENV
- An environment variable written into the image that stays available at runtime. Convenient for non-sensitive configuration, but must never hold secrets, since it is kept in the image layers.
- secret leak
- A leak of sensitive data because it was written into an image layer. Every layer is kept in the history, so a secret written once is available to anyone who pulls the image — even if a later layer 'deletes' it.