├── .gitignore ├── README.md ├── consul ├── Dockerfile └── config │ └── consul-config.json ├── docker-compose.yaml └── vault ├── Dockerfile └── config └── vault-config.json /.gitignore: -------------------------------------------------------------------------------- 1 | vault/data/* 2 | vault/logs/* 3 | consul/data/* 4 | .DS_Store 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker-compose-Hashicorp-Vault-Consul 2 | 3 | Hashicorp's Vault and Consul local deploy via docker-compose 4 | 5 | Note - master branch (Vault and Consul), vault-only branch (Vault only) 6 | 7 | ## Tutorials 8 | 9 | 1. [Docker Compose - Hashicorp's Vault and Consul Part A (install vault, unsealing, static secrets, and policies)](https://bogotobogo.com/DevOps/Docker/Docker-Vault-Consul.php) 10 | 11 | * Prerequites 12 | * Vault Dockerfile 13 | * docker-compose.yaml 14 | * Filesystem Backend 15 | * Initializing and Unsealing 16 | * Auditing 17 | * Static Secrets 18 | * Policies 19 | 20 | 2.[Docker Compose - Hashicorp's Vault and Consul Part B (EaaS, dynamic secrets, leases, and revocation)](https://bogotobogo.com/DevOps/Docker/Docker-Vault-Consul-B.php) 21 | 22 | * EaaS (Encryption as a Service) 23 | * Dynamic Secrets 24 | * Leases and Revocation 25 | 26 | 3.[Docker Compose - Hashicorp's Vault and Consul Part C (Consul Backend)](https://bogotobogo.com/DevOps/Docker/Docker-Vault-Consul-C.php) 27 | 28 | * Consul Backend 29 | * Adding another Consul server 30 | 31 | ## Credit 32 | 33 | * [Managing Secrets with Vault and Consul](https://testdriven.io/blog/managing-secrets-with-vault-and-consul/) 34 | 35 | 36 | -------------------------------------------------------------------------------- /consul/Dockerfile: -------------------------------------------------------------------------------- 1 | # base image 2 | FROM alpine:3.7 3 | 4 | # set consul version 5 | ENV CONSUL_VERSION 1.2.1 6 | 7 | # create a new directory 8 | RUN mkdir /consul 9 | 10 | # download dependencies 11 | RUN apk --no-cache add \ 12 | bash \ 13 | ca-certificates \ 14 | wget 15 | 16 | # download and set up consul 17 | RUN wget --quiet --output-document=/tmp/consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip && \ 18 | unzip /tmp/consul.zip -d /consul && \ 19 | rm -f /tmp/consul.zip && \ 20 | chmod +x /consul/consul 21 | 22 | # update PATH 23 | ENV PATH="PATH=$PATH:$PWD/consul" 24 | 25 | # add the config file 26 | COPY ./config/consul-config.json /consul/config/config.json 27 | 28 | # expose ports 29 | EXPOSE 8300 8400 8500 8600 30 | 31 | # run consul 32 | ENTRYPOINT ["consul"] -------------------------------------------------------------------------------- /consul/config/consul-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "datacenter": "localhost", 3 | "data_dir": "/consul/data", 4 | "log_level": "DEBUG", 5 | "server": true, 6 | "ui": true, 7 | "ports": { 8 | "dns": 53 9 | } 10 | } -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3.6' 2 | 3 | services: 4 | 5 | vault: 6 | build: 7 | context: ./vault 8 | dockerfile: Dockerfile 9 | ports: 10 | - 8200:8200 11 | volumes: 12 | - ./vault/config:/vault/config 13 | - ./vault/policies:/vault/policies 14 | - ./vault/data:/vault/data 15 | - ./vault/logs:/vault/logs 16 | environment: 17 | - VAULT_ADDR=http://127.0.0.1:8200 18 | command: server -config=/vault/config/vault-config.json 19 | cap_add: 20 | - IPC_LOCK 21 | depends_on: 22 | - consul 23 | 24 | consul: 25 | build: 26 | context: ./consul 27 | dockerfile: Dockerfile 28 | ports: 29 | - 8500:8500 30 | command: agent -server -bind 0.0.0.0 -client 0.0.0.0 -bootstrap-expect 1 -config-file=/consul/config/config.json 31 | volumes: 32 | - ./consul/config/consul-config.json:/consul/config/config.json 33 | - ./consul/data:/consul/data 34 | 35 | consul-worker: 36 | build: 37 | context: ./consul 38 | dockerfile: Dockerfile 39 | command: agent -server -join consul -config-file=/consul/config/config.json 40 | volumes: 41 | - ./consul/config/consul-config.json:/consul/config/config.json 42 | depends_on: 43 | - consul -------------------------------------------------------------------------------- /vault/Dockerfile: -------------------------------------------------------------------------------- 1 | # base image 2 | FROM alpine:3.7 3 | 4 | # set vault version 5 | ENV VAULT_VERSION 0.10.3 6 | 7 | # create a new directory 8 | RUN mkdir /vault 9 | 10 | # download dependencies 11 | RUN apk --no-cache add \ 12 | bash \ 13 | ca-certificates \ 14 | wget 15 | 16 | # download and set up vault 17 | RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ 18 | unzip /tmp/vault.zip -d /vault && \ 19 | rm -f /tmp/vault.zip && \ 20 | chmod +x /vault 21 | 22 | # update PATH 23 | ENV PATH="PATH=$PATH:$PWD/vault" 24 | 25 | # add the config file 26 | COPY ./config/vault-config.json /vault/config/vault-config.json 27 | 28 | # expose port 8200 29 | EXPOSE 8200 30 | 31 | # run vault 32 | ENTRYPOINT ["vault"] -------------------------------------------------------------------------------- /vault/config/vault-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "backend": { 3 | "consul": { 4 | "address": "consul:8500", 5 | "path": "vault/" 6 | } 7 | }, 8 | "listener": { 9 | "tcp":{ 10 | "address": "0.0.0.0:8200", 11 | "tls_disable": 1 12 | } 13 | }, 14 | "ui": true 15 | } --------------------------------------------------------------------------------