mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-12-21 01:27:01 +02:00
upgrade vault to 0.9.0
This commit is contained in:
parent
05000c2b6f
commit
b66f471162
@ -5,25 +5,26 @@
|
||||
FROM alpine
|
||||
MAINTAINER kev <noreply@easypi.pro>
|
||||
|
||||
ENV VAULT_VER 0.5.2
|
||||
ENV VAULT_URL https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip
|
||||
ENV VAULT_MD5 7d0f546d19c8e7e1eb5f8856bfa4cc29
|
||||
ENV VAULT_FILE vault.zip
|
||||
ENV VAULT_ADDR https://127.0.0.1:8200
|
||||
ENV VAULT_VER=0.9.0
|
||||
ENV VAULT_URL=https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip
|
||||
ENV VAULT_MD5=6db0a01b144c73b0633bbcd69175cd2c
|
||||
|
||||
RUN set -xe \
|
||||
&& apk add -U ca-certificates \
|
||||
&& wget -O $VAULT_FILE $VAULT_URL \
|
||||
&& echo "$VAULT_MD5 $VAULT_FILE" | md5sum -c \
|
||||
&& unzip $VAULT_FILE -d /usr/bin/ \
|
||||
&& wget -O vault.zip $VAULT_URL \
|
||||
&& echo "$VAULT_MD5 vault.zip" | md5sum -c \
|
||||
&& unzip vault.zip -d /usr/bin/ \
|
||||
&& chmod +x /usr/bin/vault \
|
||||
&& apk del ca-certificates \
|
||||
&& rm $VAULT_FILE /var/cache/apk/*
|
||||
&& rm vault.zip /var/cache/apk/*
|
||||
|
||||
COPY vault /etc/vault
|
||||
|
||||
VOLUME /etc/vault /var/lib/vault
|
||||
COPY ./data/etc /etc/vault
|
||||
VOLUME /etc/vault /var/lib/vault /var/log/vault
|
||||
|
||||
EXPOSE 8200
|
||||
|
||||
CMD ["vault", "server", "-config=/etc/vault/vault.hcl"]
|
||||
ENV VAULT_ADDR=https://127.0.0.1:8200
|
||||
ENV VAULT_SKIP_VERIFY=1
|
||||
|
||||
ENTRYPOINT ["vault"]
|
||||
CMD ["server", "-config=/etc/vault/vault.hcl"]
|
||||
|
@ -10,14 +10,15 @@ providing tight access control and recording a detailed audit log.
|
||||
|
||||
## docker-compose.yml
|
||||
|
||||
```
|
||||
```yaml
|
||||
vault:
|
||||
image: vimagick/vault
|
||||
ports:
|
||||
- "8200:8200"
|
||||
volumes:
|
||||
- vault/vault.crt:/etc/vault/vault.crt
|
||||
- vault/vault.key:/etc/vault/vault.key
|
||||
- ./data/etc:/etc/vault
|
||||
- ./data/var:/var/lib/vault
|
||||
- ./data/log:/var/log/vault
|
||||
cap_add:
|
||||
- IPC_LOCK
|
||||
restart: always
|
||||
@ -27,30 +28,32 @@ vault:
|
||||
|
||||
## server
|
||||
|
||||
```
|
||||
```bash
|
||||
$ cd ~/fig/vault
|
||||
$ mkdir vault
|
||||
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt
|
||||
$ mkdir data
|
||||
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout data/etc/vault.key -out data/etc/vault.crt
|
||||
$ docker-compose up -d
|
||||
$ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/
|
||||
$ docker exec -it vault_vault_1 sh
|
||||
>>> cd /etc/vault
|
||||
>>> vault init -tls-skip-verify -key-shares=5 -key-threshold=3 | tee vault.secret
|
||||
>>> vault init -key-shares=5 -key-threshold=3 | tee vault.secret
|
||||
>>> exit
|
||||
$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault
|
||||
$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault /var/log/vault
|
||||
```
|
||||
|
||||
> Split `vault.secret`, keep them a secret.
|
||||
|
||||
## client
|
||||
|
||||
```
|
||||
```bash
|
||||
$ export VAULT_ADDR='https://server:8200'
|
||||
$ cp ~/fig/vault/vault/vault.crt /etc/ssl/certs/vault.pem
|
||||
$ export VAULT_SKIP_VERIFY=0
|
||||
$ cp ~/fig/vault/data/etc/vault.crt /etc/ssl/certs/vault.pem
|
||||
$ update-ca-certificates
|
||||
$ vault status
|
||||
$ vault unseal && vault unseal && vault unseal
|
||||
$ vault auth
|
||||
$ vault audit-enable file file_path=/var/log/vault/audit.log
|
||||
$ vault write secret/name key=value
|
||||
$ vault read secret/name
|
||||
$ vault seal
|
||||
|
0
vault/data/etc/vault.secret
Normal file
0
vault/data/etc/vault.secret
Normal file
0
vault/data/log/.gitkeep
Normal file
0
vault/data/log/.gitkeep
Normal file
0
vault/data/var/.gitkeep
Normal file
0
vault/data/var/.gitkeep
Normal file
@ -3,8 +3,9 @@ vault:
|
||||
ports:
|
||||
- "8200:8200"
|
||||
volumes:
|
||||
- ./vault/vault.crt:/etc/vault/vault.crt
|
||||
- ./vault/vault.key:/etc/vault/vault.key
|
||||
- ./data/etc:/etc/vault
|
||||
- ./data/var:/var/lib/vault
|
||||
- ./data/log:/var/log/vault
|
||||
cap_add:
|
||||
- IPC_LOCK
|
||||
restart: always
|
||||
|
Loading…
Reference in New Issue
Block a user