Using Vault with docker compose file
I am currently using a docker-compose file to set up dev / prod environments. I am using environment variables to store secrets, database credentials, etc. After some searching, I found out that Vault can be used to protect credentials. I tried a couple of basic examples with vault, but still I have no idea how to use Vault with a docker compose file. Can someone point me on the right path. If Vault is not a good docker-compose solution, what are the mechanisms I could use to secure credentials rather than store them in the environment as plain text.
source to share
This is my current configuration with docker for using Vault in dev, but I am using dedicated servers (not Docker) in production.
# docker_compose.yml
version: '2'
services:
myvault:
image: vault
container_name: myvault
ports:
- "127.0.0.1:8200:8200"
volumes:
- ./file:/vault/file:rw
- ./config:/vault/config:rw
cap_add:
- IPC_LOCK
entrypoint: vault server -config=/vault/config/vault.json
Volume slots ensure that the storage configuration is preserved if you need to rebuild the container.
To use a "file" to make this setup portable to Docker / Git, you also need to create a directory named config
and put this file named in it vault.json
:
# config/vault.json
{
"backend": {"file": {"path": "/vault/file"}},
"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}},
"default_lease_ttl": "168h",
"max_lease_ttl": "0h"
}
Notes:
Although ROOT_TOKEN
static in this configuration (will not change between container builds), any generated VAULT_TOKEN
that is released for app_role
will be invalid every time the repository needs to be opened.
I found that the store is sometimes sealed when the container is reloaded.
source to share
I have a slightly different version: (mostly added some env variables)
docker-compose.yml
version: '3'
services:
vault:
image: vault:latest
volumes:
- ./vault/config:/vault/config
- ./vault/policies:/vault/policies
- ./vault/data:/vault/data
ports:
- 8200:8200
environment:
- VAULT_ADDR=http://0.0.0.0:8200
- VAULT_API_ADDR=http://0.0.0.0:8200
- VAULT_ADDRESS=http://0.0.0.0:8200
cap_add:
- IPC_LOCK
command: vault server -config=/vault/config/vault.json
vault.json:
{
"listener": {
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable": "true"
}
},
"backend": {
"file": {
"path": "/vault/file"
}
},
"default_lease_ttl": "168h",
"max_lease_ttl": "0h",
"api_addr": "http://0.0.0.0:8200"
}
If I want to check the store outside of the container: I do (for example): http: // localhost: 8200 / v1 / sys / seal-status
If I want to check inside the container: I do (for example): http: // vault: 8200 / v1 / sys / seal-status
I have implemented this with Laradock.
source to share