Skip to content

Latest commit

 

History

History
113 lines (87 loc) · 2.91 KB

README.md

File metadata and controls

113 lines (87 loc) · 2.91 KB
Raw

Vault Development Docker Image

Docker image based on upstream official Vault image which allows pre-populating with secrets for local development/testing. DO NOT USE FOR PRODUCTION PURPOSES.

Secrets

The JSON file at /opt/secrets.json (override with $VAULT_SECRETS_FILE) will be read and written into the generic secret backend on startup.

The format is an object associating a path with value, as follows:

{
  "secret/foo/bar": "baz",
  "secret/something/else": "asdf1234"
}

Helm Chart

There is a bundled Helm chart included at .helm/charts/vault. See values.yaml for configuration.

Backends

The following backends can be enabled by setting the appropriate environment variable to 1:

  • App ID: $VAULT_USE_APP_ID
  • Kubernetes: $VAULT_USE_K8S

Kubernetes

Kubernets auth is supported but will only function when the container is running within a k8s pod. Set $VAULT_USE_K8S to "1" to enable the backend.

The following environment variables are supported:

  • VAULT_CA_CERT - This is the CA certificate bundle data for clients of the Kubernetes API, or the default value "@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" will read it from the filesystem.
  • VAULT_K8S_HOST - Kubernetes API hostname (default: https://kubernetes.default)
  • VAULT_K8SROLES_FILE - JSON file containing one or more Vault k8s auth roles, in the following format (every field except name accepts multiple comma-separated values): 
    [
  {
      "name": "k8sauth",
      "service_accounts": "default,default2",
      "namespaces": "default,default2",
      "policies": "policy1,policy2"
  }
]

App ID (deprecated)

If the app ID backend is enabled, app ID profiles can be created by setting the file at /opt/app-id.json (override with $VAULT_APP_ID_FILE) as follows:

[
  {
    "name": "app-id-1",
    "policy": "root",
    "user_ids": [
      "asdf",
      "qwerty"
    ]
  },
  {
    "name": "app-id-2",
    "policy": "root",
    "user_ids": [
      "mary",
      "fred"
    ]
  }
]

Policies

Policies can be created by specifying the file at /opt/policies.json (override with $VAULT_POLICIES_FILE) as follows:

{
  "policy1": "path \"secret/*\" { policy = \"write\" }"
}

Healthcheck

The native Docker healthcheck will return healthy when all configured secrets have been written.

Authentication

The upstream vault image is mostly unmodified so it runs Vault in development by default (no auth necessary) and also respects the environment variable VAULT_DEV_ROOT_TOKEN_ID.

See https://hub.docker.com/_/vault/ for details.

Docker Registry

https://quay.io/dollarshaveclub/vault-dev