如何从 HashiCorp 的 Vault HTTP API 中获取秘密到 docker 容器中?
How to get a secret from HashiCorp's Vault HTTP API into a docker container?
尝试使用 HTTP API 将 HashiCorps Vault 中的秘密放入 dockerfile 内的环境变量中。需要从私有 git 存储库下载文件的秘密。
Dockerfile相关部分
FROM debian:jessie
ENV REPOSITORY_LOCAL_IP 192.168.1.x
ENV REPOSITORY_PORT 20080
ENV REPOSITORY_USER root
ENV PRIVATE_TOKEN "$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')"
RUN apt install curl jq -y && \
wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"
docker-compose.yml相关部分
version: '2'
services:
hhvm_dev:
build:
dockerfile: image.df
context: ./images/.
user: user
restart: always
stdin_open: true
tty: true
working_dir: /etc/image
ports:
- "80"
运行 docker-compose build returns 输出如下:
converted 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (UTF-8)
--2016-11-02 12:07:41-- http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl%20-s%20-H%20X-Vault-Token:%xxx-token-xxx%20-X%20GET%20http://192.168.1.x:8200/v1/secret/private-token%20%7C%20jq%20-r%20'.data.value')
Connecting to 192.168.1.x:20080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://192.168.1.x:20080/users/sign_in [following]
converted 'http://192.168.1.x:20080/users/sign_in' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/users/sign_in' (UTF-8)
--2016-11-02 12:07:41-- http://192.168.1.x:20080/users/sign_in
Reusing existing connection to 192.168.1.x:20080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/scripts/file.sh'
0K ........ 6.17M=0.001s
2016-11-02 12:07:42 (6.17 MB/s) - '/scripts/file.sh' saved [8270]
看起来 PRIVATE_TOKEN 没有设置在指定位置。它只是从私有存储库下载登录页面。
Docker 不会用 shell 解释 "ENV",它只是设置文字字符串,并对您可能包含的任何 docker args 进行一些解析。在 运行 命令中,环境变量被扩展为字符串,但不会第二次计算为 运行 它包含的命令。将 PRIVATE_TOKEN 的 curl 放入 运行 命令中,类似于以下未经测试的代码:
RUN export PRIVATE_TOKEN=$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value') \
&& apt install curl jq -y \
&& wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"
请注意,在这种设计中,PRIVATE_TOKEN 将仅存在于您的一个 运行 命令中,因此您以后将无法重复使用它。
尝试使用 HTTP API 将 HashiCorps Vault 中的秘密放入 dockerfile 内的环境变量中。需要从私有 git 存储库下载文件的秘密。
Dockerfile相关部分
FROM debian:jessie
ENV REPOSITORY_LOCAL_IP 192.168.1.x
ENV REPOSITORY_PORT 20080
ENV REPOSITORY_USER root
ENV PRIVATE_TOKEN "$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')"
RUN apt install curl jq -y && \
wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"
docker-compose.yml相关部分
version: '2'
services:
hhvm_dev:
build:
dockerfile: image.df
context: ./images/.
user: user
restart: always
stdin_open: true
tty: true
working_dir: /etc/image
ports:
- "80"
运行 docker-compose build returns 输出如下:
converted 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (UTF-8)
--2016-11-02 12:07:41-- http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl%20-s%20-H%20X-Vault-Token:%xxx-token-xxx%20-X%20GET%20http://192.168.1.x:8200/v1/secret/private-token%20%7C%20jq%20-r%20'.data.value')
Connecting to 192.168.1.x:20080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://192.168.1.x:20080/users/sign_in [following]
converted 'http://192.168.1.x:20080/users/sign_in' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/users/sign_in' (UTF-8)
--2016-11-02 12:07:41-- http://192.168.1.x:20080/users/sign_in
Reusing existing connection to 192.168.1.x:20080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/scripts/file.sh'
0K ........ 6.17M=0.001s
2016-11-02 12:07:42 (6.17 MB/s) - '/scripts/file.sh' saved [8270]
看起来 PRIVATE_TOKEN 没有设置在指定位置。它只是从私有存储库下载登录页面。
Docker 不会用 shell 解释 "ENV",它只是设置文字字符串,并对您可能包含的任何 docker args 进行一些解析。在 运行 命令中,环境变量被扩展为字符串,但不会第二次计算为 运行 它包含的命令。将 PRIVATE_TOKEN 的 curl 放入 运行 命令中,类似于以下未经测试的代码:
RUN export PRIVATE_TOKEN=$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value') \
&& apt install curl jq -y \
&& wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"
请注意,在这种设计中,PRIVATE_TOKEN 将仅存在于您的一个 运行 命令中,因此您以后将无法重复使用它。