Skip to content

Latest commit

 

History

History
120 lines (90 loc) · 2.98 KB

README.md

File metadata and controls

120 lines (90 loc) · 2.98 KB

libsecret Docker Volume Driver Plugin

This is a Docker Volume Driver plugin for libsecret.

Usage

To start the plugin, run the following:

This example uses Vault

Create a Vault configuration file. Note: this is just for testing. Do not use in production.

backend "inmem" {}

listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = 1

}

Start Vault

docker run \
    -p 8200:8200 \
    --name vault \
    -ti \
    -v /path/to/config.hcl:/vault.hcl \
    --rm \
    jess/vault server -config /vault.hcl

This will start Vault and listen on port 8200.

Next, use Docker exec to configure Vault:

docker exec -ti vault ash
/ # export VAULT_ADDR=http://127.0.0.1:8200

Then run vault init to initialize:

/ # vault init
Key 1: e51d7dab67f5f1d6ab396dba1f56cf6f29a626122c15e90ba0cddb2314d5bbe101
Key 2: ee7486a8be40a8f04c84533674b1e792440f0f5e7bddf03b3e5068ffddf8b73302
Key 3: 19340efb1645dad09adea510ed891d31e225d60a81ea0bdd107dad86d39265fe03
Key 4: d59de8adc555c4f931e1ec6638417e7c44e07b8084b5f15e681e434cce4b515c04
Key 5: 22dd60fe6d50b6d9e7bb1a40a17984dfe2caa2d47e820ab846338635c021839105
Initial Root Token: 721b2a50-629d-a47c-fe3b-95e766080087

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

Use the Token and keys to unseal the vault:

/ # export VAULT_TOKEN=721b2a50-629d-a47c-fe3b-95e766080087

Then run vault unseal 3 times to unlock using the keys above:

/ # vault unseal
Key (will be hidden): 
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1

Use the vault command to add secrets:

/ # vault write secret/prod/redis value=foopass
Success! Data written to: secret/prod/redis

/ # vault read secret/prod/redis
Key             Value
lease_duration  2592000
value            foopass

Now that you have Vault, start the Volume driver plugin:

Note: due to a limitation by design, you cannot run this plugin in a container since the fuse mounts will not be propagated. This must run on the host. Future updates to Docker may remove this limitation.

sudo docker-volume-libsecret \
    --addr <vault-address> \
    --backend vault \
    --store-opt token=<vault-token>

Replace <vault-address> and <vault-token> with the address and token to your Vault instance.

You can then run a container mounting any part of the path and the container will be able to read the secret.

docker run -ti --rm --volume-driver libsecret -v secret/prod:/secrets alpine ash

/ # cat /secrets/redis
foopass

Note: You will not be able to browse (ls) the mounted directory (/secrets).
This is by design and for security to prevent unauthorized viewing. The application must know the path to the secrets.