在 Vault 中存储默认环境变量,而不是在 docker-compose 中存储标准服务的 env 文件
我有一个docker-compose使用标准软件容器,例如:
- infuxdb
- mariadb
- -node-red
node 工业单板计算机(可能无法连接到Internet)
进行初始设置(堆叠堆栈),我通过其环境变量文件(例如incod> infuxdb.env )传递了一些标准凭据(例如管理员凭据)代码> Mariadb.env
。
services:
influxdb:
image: influxdb:2.0
env_file:
- influxdb.env
nodered:
image: nodered/node-red:2.2.2
env_file:
- node-red.env
等
INFLUXDB_ADMIN_USER=admin
INFLUXDB_ADMIN_PASSWORD=password!#$2
# other env vars that might be crucial for initial stack boot up
在磁盘上,仍然很脆弱。我想了解Hashicorp保管库是否可以提供合理的解决方案,在该解决方案中,可以将这些凭据(秘密)存储为键值对,并在运行时提供给Docker-Compose服务。
我了解一个瓶颈,因为我使用了标准容器(现成的),并且它们可能没有保险库集成。但是,我仍然可以使用Vault存储ENV VAR并让服务在运行时访问它们吗?还是我必须为这些容器编写 side-cars ,然后让他们接受这些env var值?
I have a docker-compose stack which uses standard software containers like:
- InfluxDB
- MariaDB
- Node-Red
running on a Industrial Single Board Computer (which may not be connected to the internet)
for initial setup (bringing the stack up), I pass some standard credentials like admin credentials via their environment variable files e.g. influxdb.env, mariadb.env etc.
A typical example of a docker-compose.yml here is:
services:
influxdb:
image: influxdb:2.0
env_file:
- influxdb.env
nodered:
image: nodered/node-red:2.2.2
env_file:
- node-red.env
An example of influxdb.env could be:
INFLUXDB_ADMIN_USER=admin
INFLUXDB_ADMIN_PASSWORD=password!#$2
# other env vars that might be crucial for initial stack boot up
These files are on the disk and can still be vulnerable. I wish to understand if Hashicorp Vault can provide a plausible solution where such credentials (secrets) can be stored as key-value pairs and be made available to the docker-compose services upon runtime.
I understand one bottleneck that since I am using standard containers (ready-to-use) and they may not have vault integration. However, can I still use vault to store the env vars and let the services access them on runtime? Or do I have to write side-cars for these containers and then let them accept these env var values?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这里有一些限制需要处理:
docker-compose命令行Docker Composer 可以从文件中读取其环境变量。我建议您创建该文件并使用
--env-file参数将其提供给docker-compose。我可以想到两种写入该文件的方法:
vault kv get的输出以NAME=VALUE格式写入文件第一个选项非常简单。调用输出机密并将其发送到文件的函数:
Vault 代理的模板引擎 功能更强大,但设置更复杂。
另一个建议是使用 Vault 的动态机密数据库(支持 InfluxDB) 。但您需要为 Vault 提供数据库中的 DBA 权限。如果您每次都从头开始创建数据库,则可以设置 DBA 密码
dba-root,为 Vault 提供该密码,然后 指示它为您轮换。You have a few constraints to work with here:
docker-composecommand lineDocker composer can read it's environment variables from a file. I suggest that you create that file and provide it to
docker-composewith the--env-fileparameter.I can think of two approach to write that file:
vault kv getto a file, inNAME=VALUEformatThe first option is quite straighforward. Call a function that outputs the secrets and send it to a file:
Vault agent 's template engine is much more powerfull, but is more complex to set up.
Another suggestion would be to use Vault's dynamic secrets for databases (InfluxDB is supported). But you need to provide Vault with DBA privileges in your database. If you create the database from scratch everytime, you could make the DBA password
dba-root, give Vault that password and instruct it to rotate it for you.类似于
docker-compose.yml从Shell的环境变量中填充值。参见详细信息:
export_secrets()函数>通过
通过验证它们echo $ database_password代替
A working solution similar to ixe013's without saving files:
docker-compose.ymlfrom Shell's environment variables. see docker documentationDetails:
export_secrets()functionVerify them by
echo $DATABASE_PASSWORDIn
docker-compose.yml, substitute from the shell