Notes for Research

  • https://www.katacoda.com/courses/docker-production/vault-secrets
  • https://github.com/csawyerYumaed/vault-docker
  • https://github.com/aerofs/gockerize
  • https://github.com/CenturyLinkLabs/golang-builder
  • https://gist.github.com/voxxit/dd6f95398c1bdc9f1038
  • https://github.com/calavera/docker-volume-keywhiz
  • https://github.com/defunctzombie/docket
  • https://github.com/ehazlett/docker-volume-libsecret
  • https://github.com/AngryBytes/docker-surgery
  • https://www.vaultproject.io/intro/getting-started/apis.html

References

  • http://elasticcompute.io/2016/01/21/runtime-secrets-with-docker-containers/

Content

These steps result in Hashicorp Vault running in development mode. Do NOT use in production without proper research.

All of these steps are done on a Raspberry PI.

  • Connect to the RPI
ssh -oStrictHostKeyChecking=no -oCheckHostIP=no pirate@pi1.local
  • Create a project directory
mkdir -p projects/armhf-vault
  • Connect to the project directory
cd projects/armhf-vault
  • Create a Dockerfile
cat << EOF > Dockerfile
FROM container4armhf/armhf-alpine:3.4

MAINTAINER Christopher 'Chief' Najewicz <chief@beefdisciple.com>

ENV version=0.6.0
ENV os=linux
ENV arch=arm

ADD https://releases.hashicorp.com/vault/${version}/vault_${version}_${os}_${arch}.zip /tmp/vault.zip

RUN \
  cd /bin &&\
  unzip /tmp/vault.zip &&\
  chmod +x /bin/vault &&\
  rm /tmp/vault.zip &&\
  apk update &&\
  apk add ca-certificates

EXPOSE 8200

VOLUME /etc/vault.hcl

ENTRYPOINT ["/bin/vault", "server"]

CMD ["-config=/etc/vault.hcl"]
EOF
  • Create a vault configuration file.
cat << EOF > vault.hcl
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}
EOF
  • Create a script to build the image.
cat << EOF > build-image.sh
docker build -t medined/armhf-vault .
EOF
  • Create a script to run the image.
cat << EOF > run-image.sh
docker run \
    --rm \
    --name vault-dev \
    --memory-swap -1 \
    -v "vault.hcl:/etc/vault.hcl"
    -p 8200:8200 \
    medined/armhf-vault -dev
EOF
  • Make the scripts executable.
chmod +x *.sh
  • Build the image.
./build-image.sh
  • Run the image.
./run-image.sh
  • Open a new terminal and connect to the RPI
ssh -oStrictHostKeyChecking=no -oCheckHostIP=no pirate@pi1.local
  • Run a shell inside the vault container
docker exec -it vault-dev /bin/sh
  • Export the vault http address.
export VAULT_ADDR=http://127.0.0.1:8200
  • Now you can use the vault command.
vault status
  • Alternatively you can use wget
http://127.0.0.1:8200/v1/sys/seal-status