Building a Discourse image without baking in the database password?

I am interested in running Discourse on my organization’s Kubernetes cluster. To do this, we can use the launcher script to build the image, push it to our Docker repo, and run it in the cluster. But building the image seems to require using the database password for database migration and “precompiling assets.”

When I run docker inspect on the created image, I see that it has DISCOURSE_DB_PASSWORD baked in. For security reasons, we don’t want to push this information to our Docker repo.

How do other Kubernetes users get around this? I’m fine with using the database password during the build step, but I don’t want it to be pushed to the Docker repo. Instead I’d like to pass the password as an environment variable when running the container (which is how our other Kubernetes apps work).

Thank you!


Would it be enough to push a dummy value to that environment var after the db migration completes? There are hooks for that, post migration, I’m sure.


As @brahn said set that ENV var to empty in the latest hook. The run hook should work.

You can also build another image using the bootstrapped one as a base and empty that variable in a docker file.


Thanks for the response! I didn’t know Pups had the ability to modify environment variables.

What is the exact syntax for changing the environment from inside a hook? It doesn’t seem to be documented, and the few attempts I had at this had no effect on the build process.