Getting secret env vars into Dockerfile before bin/rails assets:precompile

[JohnSmall]

Some apps, for reasons, require environment variables to be present in initializers. If those env vars are not secret then you can just add them to the Dockerfile, but if they are secret then you can't.

The result is that the build will fail when the initializers run. Even if you put the values into encrypted credentials it's going to fail because RAILS_MASTER_KEY is not set at that point.

We need a way to get secrets into the Docker build before they're needed in bin/rails assets:precompile stage.

I asked Claude (via Github co-pilot) about this and it made this suggestion ;-

Plan for using BuildKit secrets in Dockerfile

1. Enable BuildKit
2. Mount secret during build
3. Access secret in Dockerfile
4. Use secret for sensitive operations

Implementation
Enable BuildKit:
export DOCKER_BUILDKIT=1

Update Dockerfile:

# In build stage...
FROM base AS build

# Mount and use secret
RUN --mount=type=secret,id=rails_master_key \
    export RAILS_MASTER_KEY=$(cat /run/secrets/rails_master_key) && \
    ./bin/rails assets:precompile

Build command:

docker build \
  --secret id=rails_master_key,src=config/master.key \
  -t kinteract .

Notes:

Secret mounted temporarily during build
Not stored in final image
Not visible in docker history
Requires DOCKER_BUILDKIT=1

I'm not sure that will work because /run/secrets/rails_master_key might not be visible to the Kamal docker build process.

Any thoughts from anyone?