I don’t use Swarm, but your problem seems like a more general case where secrets must be provided when starting the app (as opposed to building the release), and they might need to be derived from various sources, not necessarily OS env. In my cases, I used etcd and custom json files to fetch stuff, so various OS env impros wouldn’t work for me anyway.
The way I deal with this (which doesn’t work for everything, but does for most things, including Phoenix and Ecto), is:
- In application
startcallback, prior to starting the top-level supervisor, I fetch secrets from wherever. - I merge secrets into proper places in app env (e.g. repo or endpoint config).
- I start the supervision tree.
