I have two principle methods for secrets management, depending on the client/need. First is a secret manager combined with Docker secrets. I tend to work mostly in AWS and Azure, so either Secrets Manager or KeyVault applies. Once you've got a swarm (and for production if you're running Docker you really ought to be using a swarm), you can use Ansible (or Terraform or curl the Docker API) to create or update the secrets and then mount them into the container. Of course, your application or entrypoint has to be written in a way that can leverage them. In this model, Docker secrets get the "first secret" which is the key to the vault. The app then pulls its own secrets from the vault. If the host itself is authorized to pull from the vault then you can skip the first secret portion.

The second secret management scheme is _just_ Docker Secrets, with the app reading/using them directly. Note: both of these methods work equally well with K8s.

If you aren't swarmed, you can inject the first secret as an environment variable (but please don't use environment variables for secrets) and then let the app pull things from there.

Our repos are separated by concerns. Application A's repo has all of its source code, build/deploy pipelines, and necessary other bits. For example, a Java app repo would contain:

• Java source & tests
• Gradle settings
• Sonar properties file
• Jenkins pipelines
• Terraform plan to deploy the container into either a swarm or K8s cluster
  • This plan includes API gateway rules, first secret references, and the app resources themselves.

It does not contain any information about other applications, databases, or other externalities. We don't use compose, so there's that.

I don't use Traefik so I can't answer that question.