Dynamically provisioning app secrets during container run time

To run containers in production requires securing your containers from any eavesdropping, isolating credentials from images and dynamically changing credentials without updating the image. There isn’t a solution out that that lets you do that successfully. Some of the solution that people employ are: Novice users bake secrets into the image. When they publish it to the registry, anyone can pull the image and secrets would be at their disposal. Advanced users mount the secrets through volumes during the container run. Someone who has access to the machine can mount the same volume and can access secrets for all the images. Other advanced users pass it through ENV variables which is open for snooping for anybody that has access to the machine. Paranoid users employ public key and elliptic key cryptography to encrypt the secrets in the image using public key. Image is then pushed to the registry. It is safe from snooping. And the secrets can be decrypted only through the private key that is resident on the host machine. But again, this solution is static. None of these aforementioned solutions truly fit the ephemeral nature of the containers. We should be able to provide secrets to the running container on any machine dynamically during the runtime. We, at Yellow Pages, have devised a solution that addresses that concern.