Public Repository

Last pushed: a year ago
Short Description
Hashicorp Vault statically compiled into a single file and packed into a single small Docker image.
Full Description

The image contains a shell script that dynamically processes environmental variables to populate Vault configuration file for CoreOS with etcd backend. The image is intended to use with CoreOS fleet unit file.

The configuration file config.son is located in /etc/vault/

backend "etcd" {
path = "ETCD_VAULT_PATH"
address = "ETCD_HOST_ADDR"
username = "ETCD_USERNAME"
password = "ETCD_PASSWORD"
tls_ca_file = "ETCD_TLS_CA_FILE"
tls_cert_file = "ETCD_TLS_CERT_FILE"
tls_key_file = "ETCD_TLS_KEY_FILE"
advertise_addr = "ETCD_VAULT_ADVERTISE_ADDR"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "VAULT_TLS_DISABLE"
tls_cert_file = "VAULT_TLS_CERT_FILE"
tls_key_file = "VAULT_TLS_KEY_FILE"
tls_min_version = "VAULT_TLS_VERSION"
}

telemetry {
statsite_address = "TELEMETRY_STATSITE_ADDR"
statsd_address = "TELEMETRY_STATSD_ADDR"
disable_hostname = "TELEMETRY_DISABLE_HOSTNAME"
}

disable_mlock = true

A sample of a complete command line for running Vault with TLS enabled and etcd backend with TLS enabled (adjust certificate paths to own settings) :

docker run -d --cap-add IPC_LOCK \
-v /etc/ssl/certs/intermediate-ca.pem:/certs/ca.pem:ro \
-v /etc/ssl/client/client.pem:/certs/cert.pem:ro \
-v /etc/ssl/client/client-key.pem:/certs/key.pem:ro \
-v /etc/ssl/host/server.pem:/certs/vault.pem:ro \
-v /etc/ssl/host/server-key.pem:/certs/vault-key.pem:ro \
-e ETCD_HOST_ADDR="https://${COREOS_PRIVATE_IPV4}:2379" \
-e ETCD_TLS_CA_FILE=/certs/ca.pem \
-e ETCD_TLS_CERT_FILE=/certs/cert.pem \
-e ETCD_TLS_KEY_FILE=/certs/key.pem \
-e ETCD_VAULT_PATH=/vault/cybersechub/core \
-e ETCD_VAULT_ADVERTISE_ADDR="https://${COREOS_PRIVATE_IPV4}:8200" \
-e VAULT_TLS_DISABLE=false \
-e VAULT_TLS_CERT_FILE=/certs/vault.pem \
-e VAULT_TLS_KEY_FILE=/certs/vault-key.pem \
-p 8200:8200 \
--name vault \
cybersechub/vault-coreos

Docker Pull Command
Owner
cybersechub

Comments (0)