mirror of https://github.com/vimagick/dockerfiles.git synced 2024-11-24 08:52:15 +02:00

History

kev 202392cdc6 switch to new domain: easypi.info		2016-05-01 09:06:20 +08:00
..
vault	add dummy keys	2015-07-18 16:32:56 +08:00
docker-compose.yml	use relative local path for volumes	2015-09-02 11:52:53 +08:00
Dockerfile	switch to new domain: easypi.info	2016-05-01 09:06:20 +08:00
README.md	update	2015-07-18 18:12:21 +08:00

README.md

vault

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

docker-compose.yml

vault:
  image: vimagick/vault
  ports:
    - "8200:8200"
  volumes:
    - vault/vault.crt:/etc/vault/vault.crt
    - vault/vault.key:/etc/vault/vault.key
  cap_add:
    - IPC_LOCK
  restart: always

Please distribute vault.crt to clients.

server

$ cd ~/fig/vault
$ mkdir vault
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt
$ docker-compose up -d
$ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/
$ docker exec -it vault_vault_1 sh
>>> cd /etc/vault
>>> vault init -tls-skip-verify -key-shares=5 -key-threshold=3 | tee vault.secret
>>> exit
$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault

Split vault.secret, keep them a secret.

client

$ export VAULT_ADDR='https://server:8200'
$ cp ~/fig/vault/vault/vault.crt /etc/ssl/certs/vault.pem
$ update-ca-certificates
$ vault status
$ vault unseal && vault unseal && vault unseal
$ vault auth
$ vault write secret/name key=value
$ vault read secret/name
$ vault seal