如何从HashiCorp的Vault HTTP API到docker容器中获取秘密?

时间:2016-11-02 12:47:11

标签: docker hashicorp-vault

尝试使用HTTP API从HashiCorps Vault获取秘密到dockerfile内的环境变量。需要从私有git存储库下载文件的秘密。

Dockerfile相关部分

FROM debian:jessie

ENV REPOSITORY_LOCAL_IP 192.168.1.x
ENV REPOSITORY_PORT 20080
ENV REPOSITORY_USER root

ENV PRIVATE_TOKEN "$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')"

RUN apt install curl jq -y && \
    wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

docker-compose.yml相关部分

version: '2'
services:
  hhvm_dev:
    build:
      dockerfile: image.df
      context: ./images/.
    user: user
    restart: always
    stdin_open: true
    tty: true
    working_dir: /etc/image
    ports:
      - "80"

使用docker-compose build运行会返回以下输出:

converted 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (UTF-8)
--2016-11-02 12:07:41--  http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl%20-s%20-H%20X-Vault-Token:%xxx-token-xxx%20-X%20GET%20http://192.168.1.x:8200/v1/secret/private-token%20%7C%20jq%20-r%20'.data.value')
Connecting to 192.168.1.x:20080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://192.168.1.x:20080/users/sign_in [following]
converted 'http://192.168.1.x:20080/users/sign_in' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/users/sign_in' (UTF-8)
--2016-11-02 12:07:41--  http://192.168.1.x:20080/users/sign_in
Reusing existing connection to 192.168.1.x:20080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/scripts/file.sh'

     0K ........                                               6.17M=0.001s

2016-11-02 12:07:42 (6.17 MB/s) - '/scripts/file.sh' saved [8270]

看起来PRIVATE_TOKEN未在指定位置设置。它只是从私有存储库下载登录页面。

1 个答案:

答案 0 :(得分:0)

Docker没有解释" ENV"使用shell,它只是设置文字字符串,并为您可能包含的任何docker args进行一些解析。在RUN命令中,环境变量扩展为字符串,但第二次不计算以运行它包含的命令。将您的curl用于您的RUN命令中的PRIVATE_TOKEN,类似于未经测试的代码:

RUN export PRIVATE_TOKEN=$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value') \
 && apt install curl jq -y \
 && wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

请注意,使用此设计时,PRIVATE_TOKEN将仅存在于您的一个RUN命令中,因此您以后无法重复使用它。

相关问题
最新问题