Name: vault
Owner: Auth0
Description: Secret store to be used on Docker image building
Forked from: dockito/vault
Created: 2017-08-07 21:52:26.0
Updated: 2018-04-13 17:26:31.0
Pushed: 2018-04-13 17:26:30.0
Size: 36
Language: Shell
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A solution to use SSH keys while building images.
Here is an example installing Node.js dependencies:
ONVAULT npm install
During build, you can use the ONVAULT
utility to run any command using the private keys.
The private keys are removed automatically after the command completes.
First you need to install the ONVAULT
utility, by adding the following statements in your Dockerfile (example works for Debian/Ubuntu):
stalls Dockito Vault ONVAULT utility
tps://github.com/dockito/vault
apt-get update -y && \
apt-get install -y curl && \
curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT > /usr/local/bin/ONVAULT && \
chmod +x /usr/local/bin/ONVAULT
The script's only dependency is curl
(being installed above).
Or on Alpine Linux:
stalls Dockito Vault ONVAULT utility
tps://github.com/dockito/vault
apk add -Uuv bash curl && \
curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT > /usr/local/bin/ONVAULT && \
chmod +x /usr/local/bin/ONVAULT
Then use it on any command that requires the private keys:
ONVAULT npm install --unsafe-perm
Here is a complete Node.js example using these concepts:
node:0.10.38
stalls Dockito Vault ONVAULT utility
tps://github.com/dockito/vault
apt-get update -y && \
apt-get install -y curl && \
curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT > /usr/local/bin/ONVAULT && \
chmod +x /usr/local/bin/ONVAULT
mkdir -p /usr/src/app
DIR /usr/src/app
package.json /usr/src/app/
ONVAULT npm install --unsafe-perm
. /usr/src/app
[ "npm", "start" ]
It is composed of two pieces:
ONVAULT
that need to be installed in the image to allow accessing the private keys during the build process.The server IP may be different depending in the docker version your are running or if you are using a custom bridge network for docker. Execute this command below to find out the ip used by docker:
nfig docker0 | grep 'inet ' | cut -d: -f2 | awk '{ print $2}'
Some custom configurations are allowed through environment variables
VAULT_HOST
: custom host for the vault server (example 172.17.0.1
)VAULT_PORT
: custom host+port for the vault server (example tcp:172.17.0.1:14242
)VAULT_URI
: custom URI for the vault server (example http://172.17.0.1:14242
)VAULT_SSH_KEY
: custom ssh key name used during ONVAULT
command (example id_rsa
)VAULT_SSH_CONFIG
: custom ssh config file used during ONVAULT
command (example config
)Other ssh configurations can be achieved through your own ssh config file. Since the vault has access to the whole .ssh
directory the ssh config file is available when running the ONVAULT
command. Which means any configuration in the ssh config file will be applied to the ssh connection.
An example where you could use the ssh config file is when you need use different private keys for different hosts.
~/.ssh/config
e this key for github host
github.com
tityFile ~/.ssh/github_docker_key
use this key for my myprivatehost.com
myprivatehost.com
tityFile ~/.ssh/myprivatehost_key
herwise will use the id_rsa key for any other host
If platform-specific commands are in your ~/.ssh/config
, you can use the VAULT_SSH_CONFIG
environment
variable to specify an alternate file within the ~/.ssh
directory.
If your key is protected by passphrase, you can pass to ONVAULT the passphrase, so it before use the key will remove the password at the container.
ULT --disable-pwd %password% npm install
In case you have symlink for any ssh file. Will be necessary map the volume of the symlink destination into the docker vault server. Otherwise will not be possible to resolve the symlink while copying the ssh files with the ONVAULT
command.
Run the server setting a volume to your ~/.ssh
folder:
er run -p 172.17.0.1:14242:3000 -v ~/.ssh:/vault/.ssh dockito/vault
This ip may be different. Check out the “How it works” session to find out the right ip in case this one is not working for you.
There is also a docker-compose.yml
file in this project, allowing you to run it (by cloning the project) with:
er-compose up vault
Happy codding!
Although its main purpose is to fix the issue of building Docker images, it can also be used as a source of secrets for some running container:
er run -v ~/.ssh:/vault/.ssh --name vault dockito/vault
er run --link vault image-with-onvault ONVAULT npm install --unsafe-perm
Because NPM dependencies are installed locally, the dependencies installed in the base-image won't be available in development time, so you will need to npm install
them again:
clone https://github.com/dockito/vault.git
ault
er-compose run vault npm install
er-compose up vault
A Dockerfile using this technique requires the special vault service running. Meaning it is not possible to run any build process at the Docker Hub.
As the vault service is not running an ssh-agent
(instead copying the contents of files), the password cannot be entered prior to execution.
Initial implementation by Paulo Ragonha. Based on the ideas of Max Claus Nunes and Eduardo Nunes.