I have a docker-compose
stack which uses standard software containers like:
- InfluxDB
- MariaDB
- Node-Red
running on a Industrial Single Board Computer (which may not be connected to the internet)
for initial setup (bringing the stack up), I pass some standard credentials like admin credentials via their environment variable files e.g. influxdb.env
, mariadb.env
etc.
A typical example of a docker-compose.yml
here is:
services:
influxdb:
image: influxdb:2.0
env_file:
- influxdb.env
nodered:
image: nodered/node-red:2.2.2
env_file:
- node-red.env
An example of influxdb.env
could be:
INFLUXDB_ADMIN_USER=admin
INFLUXDB_ADMIN_PASSWORD=password!#$2
# other env vars that might be crucial for initial stack boot up
These files are on the disk and can still be vulnerable. I wish to understand if Hashicorp Vault can provide a plausible solution where such credentials (secrets) can be stored as key-value pairs and be made available to the docker-compose services upon runtime.
I understand one bottleneck that since I am using standard containers (ready-to-use) and they may not have vault integration. However, can I still use vault to store the env vars and let the services access them on runtime? Or do I have to write side-cars for these containers and then let them accept these env var values?
2
Answers
You have a few constraints to work with here:
docker-compose
command lineDocker composer can read it’s environment variables from a file. I suggest that you create that file and provide it to
docker-compose
with the--env-file
parameter.I can think of two approach to write that file:
vault kv get
to a file, inNAME=VALUE
formatThe first option is quite straighforward. Call a function that outputs the secrets and send it to a file:
Vault agent ‘s template engine is much more powerfull, but is more complex to set up.
Another suggestion would be to use Vault’s dynamic secrets for databases (InfluxDB is supported). But you need to provide Vault with DBA privileges in your database. If you create the database from scratch everytime, you could make the DBA password
dba-root
, give Vault that password and instruct it to rotate it for you.A working solution similar to ixe013’s without saving files:
docker-compose.yml
from Shell’s environment variables. see docker documentationDetails:
export_secrets()
functionVerify them by
echo $DATABASE_PASSWORD
In
docker-compose.yml
, substitute from the shell