Skip to content

eco/vault-dev-docker

BranchesTags
 
 

Repository files navigation

Vault Development Docker Image

Docker image based on upstream official Vault image which allows pre-populating with secrets for local development/testing. DO NOT USE FOR PRODUCTION PURPOSES.

Secrets

The JSON file at /opt/secrets.json (override with $VAULT_SECRETS_FILE) will be read and written into the generic secret backend on startup.

The format is an object associating a path with value, as follows:

{
  "secret/foo/bar": "baz",
  "secret/something/else": "asdf1234"
}

Helm Chart

There is a bundled Helm chart included at .helm/charts/vault. See values.yaml for configuration.

Backends

The following backends can be enabled by setting the appropriate environment variable to 1:

  • App ID: $VAULT_USE_APP_ID
  • Kubernetes: $VAULT_USE_K8S

Kubernetes

Kubernets auth is supported but will only function when the container is running within a k8s pod. Set $VAULT_USE_K8S to "1" to enable the backend.

The following environment variables are supported:

  • VAULT_CA_CERT - This is the CA certificate bundle data for clients of the Kubernetes API, or the default value "@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" will read it from the filesystem.
  • VAULT_K8S_HOST - Kubernetes API hostname (default: https://kubernetes.default)
  • VAULT_K8SROLES_FILE - JSON file containing one or more Vault k8s auth roles, in the following format (every field except name accepts multiple comma-separated values): 
    [
  {
      "name": "k8sauth",
      "service_accounts": "default,default2",
      "namespaces": "default,default2",
      "policies": "policy1,policy2"
  }
]

App ID (deprecated)

If the app ID backend is enabled, app ID profiles can be created by setting the file at /opt/app-id.json (override with $VAULT_APP_ID_FILE) as follows:

[
  {
    "name": "app-id-1",
    "policy": "root",
    "user_ids": [
      "asdf",
      "qwerty"
    ]
  },
  {
    "name": "app-id-2",
    "policy": "root",
    "user_ids": [
      "mary",
      "fred"
    ]
  }
]

Policies

Policies can be created by specifying the file at /opt/policies.json (override with $VAULT_POLICIES_FILE) as follows:

{
  "policy1": "path \"secret/*\" { policy = \"write\" }"
}

Healthcheck

The native Docker healthcheck will return healthy when all configured secrets have been written.

Authentication

The upstream vault image is mostly unmodified so it runs Vault in development by default (no auth necessary) and also respects the environment variable VAULT_DEV_ROOT_TOKEN_ID.

See https://hub.docker.com/_/vault/ for details.

Docker Registry

https://quay.io/dollarshaveclub/vault-dev

About

Vault docker image for local development

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 77.6%
  • Smarty 18.4%
  • Dockerfile 4.0%