Clever Geek Handbook

Using Vault with docker compose file

I am currently using a docker-compose file to set up dev / prod environments. I am using environment variables to store secrets, database credentials, etc. After some searching, I found out that Vault can be used to protect credentials. I tried a couple of basic examples with vault, but still I have no idea how to use Vault with a docker compose file. Can someone point me on the right path. If Vault is not a good docker-compose solution, what are the mechanisms I could use to secure credentials rather than store them in the environment as plain text.

+9


source to share


2 answers


This is my current configuration with docker for using Vault in dev, but I am using dedicated servers (not Docker) in production.

# docker_compose.yml
version: '2'
services:
    myvault:
        image: vault
        container_name: myvault
        ports:
          - "127.0.0.1:8200:8200"
        volumes:
          - ./file:/vault/file:rw
          - ./config:/vault/config:rw
        cap_add:
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/vault.json

Volume slots ensure that the storage configuration is preserved if you need to rebuild the container.

To use a "file" to make this setup portable to Docker / Git, you also need to create a directory named config

and put this file named in it vault.json

:



# config/vault.json
{
  "backend": {"file": {"path": "/vault/file"}},
  "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}},
  "default_lease_ttl": "168h",
  "max_lease_ttl": "0h"
}

Notes:
Although ROOT_TOKEN

static in this configuration (will not change between container builds), any generated VAULT_TOKEN

that is released for app_role

will be invalid every time the repository needs to be opened.

I found that the store is sometimes sealed when the container is reloaded.

+14


source


I have a slightly different version: (mostly added some env variables)

docker-compose.yml

version: '3'

services:

    vault:
      image: vault:latest
      volumes:
        - ./vault/config:/vault/config
        - ./vault/policies:/vault/policies
        - ./vault/data:/vault/data
      ports:
        - 8200:8200
      environment:
        - VAULT_ADDR=http://0.0.0.0:8200
        - VAULT_API_ADDR=http://0.0.0.0:8200
        - VAULT_ADDRESS=http://0.0.0.0:8200
      cap_add:
        - IPC_LOCK
      command: vault server -config=/vault/config/vault.json

vault.json:



{                                    
  "listener":  {                     
    "tcp":  {                        
      "address":  "0.0.0.0:8200",  
      "tls_disable":  "true"         
    }                                
  },                                 
  "backend": {                       
    "file": {                        
      "path": "/vault/file"          
    }                                
  },                                 
  "default_lease_ttl": "168h",       
  "max_lease_ttl": "0h",
  "api_addr": "http://0.0.0.0:8200"
}

If I want to check the store outside of the container: I do (for example): http: // localhost: 8200 / v1 / sys / seal-status

If I want to check inside the container: I do (for example): http: // vault: 8200 / v1 / sys / seal-status

I have implemented this with Laradock.

0


source






More articles:


All Articles