├── .gitignore ├── Dockerfile ├── Makefile ├── README.md ├── build.sh ├── circle.yml └── config ├── consul.hcl └── demo.hcl /.gitignore: -------------------------------------------------------------------------------- 1 | vendor 2 | .bundle 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.5 2 | MAINTAINER Stephane Jourdan 3 | ENV VAULT_VERSION 0.7.0 4 | LABEL name="vault" 5 | LABEL version=0.7.0 6 | LABEL maintainer="Stephane Jourdan " 7 | 8 | # x509 expects certs to be in this file only. 9 | RUN apk --update --no-cache add ca-certificates openssl && \ 10 | wget -qO /tmp/vault.zip "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && \ 11 | unzip -d /bin /tmp/vault.zip && \ 12 | chmod 755 /bin/vault && \ 13 | rm /tmp/vault.zip /var/cache/apk/* 14 | 15 | EXPOSE 8200 16 | VOLUME "/config" 17 | 18 | ENTRYPOINT ["/bin/vault"] 19 | CMD ["server", "-dev-listen-address=0.0.0.0:8200", "-dev"] 20 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .DEFAULT_GOAL := help 2 | 3 | CONTAINER_NAME=sjourdan/vault 4 | 5 | all: build 6 | build: ## Build the container 7 | docker build -t ${CONTAINER_NAME} . 8 | 9 | help: 10 | @printf "\033[36m%-30s\033[0m %s\n" 'Targets:' 11 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Docker Vault 2 | 3 | [![Circle CI](https://circleci.com/gh/sjourdan/docker-vault.svg?style=shield)](https://circleci.com/gh/sjourdan/docker-vault) 4 | 5 | This Docker Vault container is using [Alpine Linux](https://hub.docker.com/_/alpine/) minimal image and [Hashicorp's Vault](https://vaultproject.io/). 6 | 7 | Vault uses TCP/8200 by default, so we'll keep that. The demo configuration is listening on all interfaces (not just localhost), and using demo.consul.io as per the [getting started docs](https://vaultproject.io/intro/getting-started/deploy.html). 8 | 9 | Configuration examples are stored under `config/` in the git working directory. 10 | 11 | The automated latest build is always available at [sjourdan/vault](https://registry.hub.docker.com/u/sjourdan/vault/): 12 | 13 | `docker pull sjourdan/vault` 14 | 15 | ## Vault Server 16 | 17 | ### Dev mode 18 | 19 | Start vault server in a **dev mode**: 20 | 21 | ``` 22 | docker run -d \ 23 | -p 8200:8200 \ 24 | --hostname vault \ 25 | --name vault sjourdan/vault 26 | ``` 27 | 28 | ### Using the Demo Consul Backend 29 | 30 | Start with a **demo Consul backend** using [demo.consul.io](https://demo.consul.io): 31 | 32 | ``` 33 | docker run -d \ 34 | -p 8200:8200 \ 35 | --hostname vault \ 36 | --name vault \ 37 | --volume $PWD/config:/config \ 38 | sjourdan/vault server -config=/config/demo.hcl 39 | ``` 40 | 41 | ### Using your own Consul backend 42 | 43 | ### Consul 44 | 45 | For this purpose you can use [Progrium's Consul Docker box](https://github.com/gliderlabs/docker-consul) container, it's working great. If you have a running Consul container named `consul` you can skip the step bellow: 46 | 47 | ``` 48 | # Starting consul container with web ui on port 8500 49 | docker run -p 8400:8400 -p 8500:8500 -p 8600:53/udp --hostname consul --name consul progrium/consul -server -bootstrap -ui-dir /ui 50 | ``` 51 | 52 | When your consul service is started and accessible via links or DNS as consul, you can just start vault server using the following command: 53 | 54 | ``` 55 | docker run -d \ 56 | -p 8200:8200 \ 57 | --hostname vault \ 58 | --name vault \ 59 | --link consul:consul \ 60 | --volume $PWD/config:/config \ 61 | sjourdan/vault server -config=/config/consul.hcl 62 | ``` 63 | 64 | ## Using Vault 65 | 66 | To initialize Vault, on your workstation with `vault` installed, first we need to export vault ip address. If you bootstrapped containers on your machine you can use `docker inspect -f '{{ .NetworkSettings.IPAddress }}' vault` command to get the vault container internal ip address. 67 | 68 | ``` 69 | # The address must start with protocol specifier! 70 | export VAULT_ADDR='http://a.b.c.d:8200' 71 | ``` 72 | 73 | And refer to [vault documentation](https://www.vaultproject.io/docs/index.html) on how to initialize and unseal data store. In case if you are evaluating in **dev mode** of vault server, the empty initialized and unsealed **inmem** vault data store will be automatically created. 74 | 75 | You can simply export the root token printed on vault server startup as `export VAULT_TOKEN=PASTE_YOUR_TOKEN_HERE`. 76 | 77 | To use a vault client from a container you can create a wrapper function like below: 78 | 79 | ``` 80 | vault () { docker run -it --rm -e VAULT_ADDR --entrypoint=/bin/sh sjourdan/vault -c "vault auth $VAULT_TOKEN &>/dev/null; vault $*" } 81 | ``` 82 | 83 | The above invocation method of course could directly path-through `$VAULT_TOKEN` using docker `-e` option, however we don't want to re-define this environment variable, so we emulate auth session and only after pass arguments to vault. 84 | 85 | Also you can use alias, but this overrides `$VAULT_TOKEN` and **is not recommend**, since it affects vault client default usage scenario. 86 | 87 | ``` 88 | alias vault="docker run --rm -e VAULT_ADDR -e VAULT_TOKEN sjourdan/vault" 89 | ``` 90 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | IMAGE_NAME=sjourdan/vault 5 | 6 | echo "- Build Docker Image ${IMAGE_NAME}:" 7 | docker build -t=${IMAGE_NAME} . 8 | -------------------------------------------------------------------------------- /circle.yml: -------------------------------------------------------------------------------- 1 | machine: 2 | services: 3 | - docker 4 | dependencies: 5 | override: 6 | - docker info 7 | - make build 8 | test: 9 | override: 10 | - docker run --rm -i sjourdan/hadolint < Dockerfile 11 | - docker run --rm -v $PWD:/root/ projectatomic/dockerfile-lint dockerfile_lint 12 | - docker run sjourdan/vault version | grep "v$(cat Dockerfile | grep 'ENV VAULT_VERSION' | cut -f3 -d' ')" 13 | -------------------------------------------------------------------------------- /config/consul.hcl: -------------------------------------------------------------------------------- 1 | backend "consul" { 2 | address = "consul:8500" 3 | path = "demo_vault" 4 | advertise_addr = "http://127.0.0.1" 5 | } 6 | 7 | listener "tcp" { 8 | address = "0.0.0.0:8200" 9 | tls_disable = 1 10 | } 11 | 12 | disable_mlock = true 13 | -------------------------------------------------------------------------------- /config/demo.hcl: -------------------------------------------------------------------------------- 1 | backend "consul" { 2 | address = "demo.consul.io:80" 3 | path = "demo_vault_changeme" 4 | advertise_addr = "http://127.0.0.1" 5 | } 6 | 7 | listener "tcp" { 8 | address = "0.0.0.0:8200" 9 | tls_disable = 1 10 | } 11 | 12 | disable_mlock = true 13 | --------------------------------------------------------------------------------