Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Support reading tokens from file so tokens can be stored safely in docker secrets #48

Open
4 tasks done
brofids opened this issue Apr 9, 2024 · 1 comment
Open
4 tasks done

feature: Support reading tokens from file so tokens can be stored safely in docker secrets #48

brofids opened this issue Apr 9, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@brofids
Copy link

brofids commented Apr 9, 2024

✨ Describe the feature you'd like

Hi, I'm trying to run vault-unseal as container in my docker swarm instance.
Then I realize to make it work I need to store my tokens in unencrypted format inside the vault-unseal.yaml file in the host.

I think it would be very nice if the vault-unseal support reading token list from separate file, so I can then use docker secrets to store my tokens securely.

🌧 Is your feature request related to a problem?

No response

🔎 Describe alternatives you've considered

--

⚠ If implemented, do you think this feature will be a breaking change to users?

Yes

⚙ Additional context

To make my approach of using vault-unseal clearer, here is the example.

First I create new secret containing the tokens:
echo "aaaaaaaaaaaaaaaaaa,bbbbbbbbbbbbbbb" | docker secret create vault_unseal_tokens_a_b -

Then I can use the stack compose script below to easily spawn new vault-unseal node:

version: '3.8'
services:
  vault_unseal_1:
    image: ghcr.io/lrstanley/vault-unseal:latest
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    environment:
      - CONFIG_PATH=/vault_unseal_config
      - TOKENS__FILE=/run/secrets/unseal_tokens
    networks:
      - vault-unseal-network
    configs:
      - source: vault_unseal_config
        mode: 0400
    secrets:
      - unseal_tokens

networks:
  vault-unseal-network:
    name: "vault_unseal_network"

configs:
  vault_unseal_config:
    name: "vault_unseal_conf_v1"
    external: true

secrets:
  unseal_tokens:
    name: "vault_unseal_tokens_a_b"
    external: true

🤝 Requirements

  • I have confirmed that someone else has not submitted a similar feature request.
  • If implemented, I believe this feature will help others, in addition to solving my problems.
  • I have looked into alternative solutions to the best of my ability.
  • (optional) I would be willing to contribute to testing this feature if implemented, or making a PR to implement this functionality.
@brofids brofids added the enhancement New feature or request label Apr 9, 2024
@lrstanley
Copy link
Owner

Sorry for the delay @brofids -- have you looked at simply mounting a .env file in the container in question? Not near my Kubernetes setup to confirm that's how I'm doing it, but it should work. it's the CWD of the container, so if you haven't modified it, it should just be /.env. This won't load them as environment variables, rather it will read the file and populate them in runtime as if they were environment variables.

That may or may not work for your case, depending on if you're able to format the file beforehand or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lrstanley @brofids