How to securely provide SSL certs to a Docker app

One challenge with the environment variable approach is that they are shared with any linked containers (more info here), which may restrict the use of that approach in some setups.

Private images as you say are a problem as you're sharing the key to a number of parties and this could also affect your ability to use other related services which would need access to the github or docker repos (e.g. Jenkins)

This leaves the mounted volume solution, which seems like the best approach from a security standpoint. It restricts the necessary distribution to the docker host, which in most cases is less of an exposure than placing it with 3rd parties or potentially exposing it to other linked containers.

If anyone comes across this topic, note that a more recent solution might be to use Docker secrets: https://docs.docker.com/engine/swarm/secrets/

It enables Docker Swarm services to safely transmit information such as passwords, SSL certificates, etc., into containers.