I am new to quarkus and Docker and so this may be a simple question, but unfortunately the documentation did not help me here.

My quarkus microservice, which is compiled to a native executable and then to a docker image, needs to use secrets.

I followed this documentation:
https://quarkus.io/guides/config-secrets

Especially the KeyStore part. Now the part of information that is missing there is where the keystore file is supposed to be. I guessed that they assume it is in the root directory of the quarkus project, given that the configuration:
smallrye.config.source.keystore."properties".path=properties
Only gives “properties” as a path for that.

And it does indeed work if you put your keystore file (called properties) into the root of your project.

But it seems to me that this keystore-file is build into the docker image when you follow the instructions to build the native executable
quarkus build --native --no-tests -Dquarkus.native.container-build=true -DDquarkus.container-image.build=true

and the docker image afterwards.

docker build -f src/main/docker/Dockerfile.native-micro -t quarkus/keystore-test .

Now I do not want to store my secrets “hardcoded” in my docker image.

So how can I tell quarkus that the keystore file will be provided to the container at a specific location at runtime? I already tried to set

smallrye.config.source.keystore."properties".path=/some/local/path

to some path outside of the quarkus project. It does work and it compiles, but again it seems like the keystore file is within the image, because after removing the keystore file from that location and restarting the container, the application still knows the values form the keystore file.

So how do we provide an external Keystore-File, which the container picks up on startup?