Public Repository

Last pushed: a year ago
Short Description
Alpine image with Hashicorp's Vault.
Full Description

Tags & Dockerfile

What is Vault?

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Structure

Vault is installed under /vault

/ # tree -d /vault
/vault
├── bin
├── data
└── etc

3 directories

Usage

Basic usage

Start a Vault server.

$ docker run -d --name vault --cap-add IPC_LOCK -p 8200:8200 jfusterm/vault

NOTE: As Vault uses the syscall mlock we should enable that syscall using --cap-add IPC_LOCK, otherwise could see this error: Error initializing core: Failed to lock memory: cannot allocate memory

Vault will start by default with the command server -config=/vault/etc/vault.hcl but we can append other commands to override the default one.

$ docker run -it --rm --cap-add IPC_LOCK -p 8200:8200 jfusterm/vault version
Vault v0.6.0

Using your own configuration file

The default vault.hcl configuration file is:

backend "file" {
    path = "/vault/data"
}

listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = 1
}

If you want to use your own configuration file you can either copy the configuration file to the container and then restart it, create a new image with the config file on it or bind mounting it just like this:

$ docker run -d --name vault --cap-add IPC_LOCK -v /dir/my-vault.hcl:/vault/etc/vault.hcl -p 8200:8200 jfusterm/vault

Start a Development/Testing environment

If we want to start a Vault development/testing instance, we can do it using the -dev switch and binding the port to 0.0.0.0:8200.

$ docker run -it --rm --name consul-server -p 8200:8200 --cap-add IPC_LOCK jfusterm/vault server -dev -dev-listen-address="0.0.0.0:8200"
==> WARNING: Dev mode is enabled!

In this mode, Vault is completely in-memory and unsealed.
Vault is configured to only have a single unseal key. The root
token has already been authenticated with the CLI, so you can
immediately begin using the Vault CLI.

The only step you need to take is to set the following
environment variables:

    export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are reproduced below in case you
want to seal/unseal the Vault or play with authentication.

Unseal Key: 927755cd3959fe196dca5782a4c73e601ec91d61c4994c5b2018030bc1bc6c3e
Root Token: 34d987ed-c029-6fcd-8a8a-05837c13f712

==> Vault server configuration:

                 Backend: inmem
              Listener 1: tcp (addr: "0.0.0.0:8200", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Version: Vault v0.6.0

Once started the server, we can launch another container and use it as a client:

$ docker run -it --rm --name vault-client --link vault-server --entrypoint sh jfusterm/vault 
/ # export VAULT_ADDR='http://vault-server:8200'
/ # vault auth 34d987ed-c029-6fcd-8a8a-05837c13f712
Successfully authenticated! You are now logged in.
token: 34d987ed-c029-6fcd-8a8a-05837c13f712
token_duration: 0
token_policies: [root]
/ # vault write secret/hello value=world
Success! Data written to: secret/hello
/ # vault read secret/hello
Key                     Value
---                     -----
refresh_interval        2592000
value                   world
Docker Pull Command
Owner
jfusterm

Comments (0)