1. 首頁
  2. 問答
  3. 如何從HashiCorp的Vault HTTP API中獲取祕密到Docker容器中?

如何從HashiCorp的Vault HTTP API中獲取祕密到Docker容器中?

2016-11-02 60 views
0

嘗試使用HTTP API從HashiCorps Vault中將密碼放入dockerfile內的環境變量中。需要從私人git存儲庫下載文件的祕密。如何從HashiCorp的Vault HTTP API中獲取祕密到Docker容器中?

Dockerfile相關部分

FROM debian:jessie 

ENV REPOSITORY_LOCAL_IP 192.168.1.x 
ENV REPOSITORY_PORT 20080 
ENV REPOSITORY_USER root 

ENV PRIVATE_TOKEN "$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')" 

RUN apt install curl jq -y && \ 
    wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

docker-compose.yml相關部分

version: '2' 
services: 
    hhvm_dev: 
    build: 
     dockerfile: image.df 
     context: ./images/. 
    user: user 
    restart: always 
    stdin_open: true 
    tty: true 
    working_dir: /etc/image 
    ports: 
     - "80"

docker-compose build返回運行以下的輸出:

converted 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (UTF-8) 
--2016-11-02 12:07:41-- http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl%20-s%20-H%20X-Vault-Token:%xxx-token-xxx%20-X%20GET%20http://192.168.1.x:8200/v1/secret/private-token%20%7C%20jq%20-r%20'.data.value') 
Connecting to 192.168.1.x:20080... connected. 
HTTP request sent, awaiting response... 302 Found 
Location: http://192.168.1.x:20080/users/sign_in [following] 
converted 'http://192.168.1.x:20080/users/sign_in' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/users/sign_in' (UTF-8) 
--2016-11-02 12:07:41-- http://192.168.1.x:20080/users/sign_in 
Reusing existing connection to 192.168.1.x:20080. 
HTTP request sent, awaiting response... 200 OK 
Length: unspecified [text/html] 
Saving to: '/scripts/file.sh' 

    0K ........            6.17M=0.001s 

2016-11-02 12:07:42 (6.17 MB/s) - '/scripts/file.sh' saved [8270]

它看起來像PRIVATE_TOKEN沒有被設定在指定的位置。它只是從私人存儲庫下載登錄頁面。

來源

2016-11-02 user638145

回答

0

Docker不會用shell解釋「ENV」,它只是設置文字字符串,對於您可能包含的任何docker參數進行一些解析。在RUN命令中,環境變量擴展爲字符串,但不會再次運行它所包含的命令進行評估。把你的捲曲的PRIVATE_TOKEN您運行命令裏面,像這樣未經測試的代碼:

RUN export PRIVATE_TOKEN=$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value') \ 
&& apt install curl jq -y \ 
&& wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

請注意,這個設計,PRIVATE_TOKEN只會在一個運行命令存在,所以你將不能夠再使用它後來。

來源

2016-11-02 13:07:35 BMitch

相關問題

 相關問題