{"id":13474612,"url":"https://github.com/dockito/vault","last_synced_at":"2026-01-31T23:51:41.445Z","repository":{"id":30852132,"uuid":"34409649","full_name":"dockito/vault","owner":"dockito","description":"🔐 Secret store to be used on Docker image building","archived":false,"fork":false,"pushed_at":"2021-01-17T17:27:45.000Z","size":39,"stargazers_count":198,"open_issues_count":6,"forks_count":35,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-10-30T07:48:40.433Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dockito.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-22T18:57:31.000Z","updated_at":"2024-05-29T13:04:39.000Z","dependencies_parsed_at":"2022-08-07T16:00:09.954Z","dependency_job_id":null,"html_url":"https://github.com/dockito/vault","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockito%2Fvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockito%2Fvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockito%2Fvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockito%2Fvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dockito","download_url":"https://codeload.github.com/dockito/vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245738794,"owners_count":20664344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:01:13.569Z","updated_at":"2026-01-31T23:51:41.437Z","avatar_url":"https://github.com/dockito.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# Dockito Vault\n\nA solution to use SSH keys while building images.\n\nHere is an example installing [Node.js](http://nodejs.org/) dependencies:\n\n```Dockerfile\nRUN ONVAULT npm install\n```\n\n## The Dockerfile\n\nDuring build, you can use the `ONVAULT` utility to run any command using the private keys.\n\n**The private keys are removed automatically after the command completes**.\n\nFirst you need to install the `ONVAULT` utility, by adding the following statements in your Dockerfile (example works for Debian/Ubuntu):\n\n```Dockerfile\n# installs Dockito Vault ONVAULT utility\n# https://github.com/dockito/vault\nRUN apt-get update -y \u0026\u0026 \\\n    apt-get install -y curl \u0026\u0026 \\\n    curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT \u003e /usr/local/bin/ONVAULT \u0026\u0026 \\\n    chmod +x /usr/local/bin/ONVAULT\n```\n\nThe script's only dependency is `curl` (being installed above).\n\nOr on Alpine Linux:\n\n```Dockerfile\n# installs Dockito Vault ONVAULT utility\n# https://github.com/dockito/vault\nRUN apk add -Uuv bash curl \u0026\u0026 \\\n    curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT \u003e /usr/local/bin/ONVAULT \u0026\u0026 \\\n    chmod +x /usr/local/bin/ONVAULT\n```\n\nThen use it on any command that requires the private keys:\n\n```Dockerfile\nRUN ONVAULT npm install --unsafe-perm\n```\n\nHere is a complete Node.js example using these concepts:\n\n```Dockerfile\nFROM node:0.10.38\n\n# installs Dockito Vault ONVAULT utility\n# https://github.com/dockito/vault\nRUN apt-get update -y \u0026\u0026 \\\n    apt-get install -y curl \u0026\u0026 \\\n    curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT \u003e /usr/local/bin/ONVAULT \u0026\u0026 \\\n    chmod +x /usr/local/bin/ONVAULT\n\nRUN mkdir -p /usr/src/app\nWORKDIR /usr/src/app\n\nCOPY package.json /usr/src/app/\nRUN ONVAULT npm install --unsafe-perm\nCOPY . /usr/src/app\n\nCMD [ \"npm\", \"start\" ]\n```\n\n## How it works\n\nIt is composed of two pieces:\n\n- an HTTP server running at http://172.17.0.1:14242 that serves the private keys;\n- a bash script `ONVAULT` that need to be installed in the image to allow accessing the private keys during the build process.\n\n\u003e The server IP may be different depending in the docker version your are running or if you are using a custom bridge network for docker. Execute this command below to find out the ip used by docker:\n\n```bash\nifconfig docker0 | grep 'inet ' | cut -d: -f2 | awk '{ print $2}'\n```\n\n### Custom configurations\n\n#### Environment variables\n\nSome custom configurations are allowed through environment variables\n\n- `VAULT_HOST`: custom host for the vault server (example `172.17.0.1`)\n- `VAULT_PORT`: custom host+port for the vault server (example `tcp:172.17.0.1:14242`)\n- `VAULT_URI`: custom URI for the vault server (example `http://172.17.0.1:14242`)\n- `VAULT_SSH_KEY`: custom ssh key name used during `ONVAULT` command (example `id_rsa`)\n\n#### SSH config file\n\nOther ssh configurations can be achieved through your own [ssh config file](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/ssh_config.5?query=ssh_config\u0026sec=5). Since the vault has access to the whole `.ssh` directory the ssh config file is available when running the `ONVAULT` command. Which means any configuration in the ssh config file will be applied to the ssh connection.\n\nAn example where you could use the ssh config file is when you need use different private keys for different hosts.\n\n**~/.ssh/config**\n\n```\n# use this key for github host\nHost github.com\nIdentityFile ~/.ssh/github_docker_key\n\n# or use this key for my myprivatehost.com\nHost myprivatehost.com\nIdentityFile ~/.ssh/myprivatehost_key\n\n# otherwise will use the id_rsa key for any other host\n```\n\n#### SSH key password/passphrase\n\nIf your key is protected by passphrase, you can pass to ONVAULT the passphrase, so it before use the key will remove the\npassword at the container.\n\n```\nONVAULT --disable-pwd %password% npm install\n```\n\n#### Symlinks\n\nIn case you have symlink for any ssh file. Will be necessary map the volume of the symlink destination into the docker vault server. Otherwise will not be possible to resolve the symlink while copying the ssh files with the `ONVAULT` command.\n\n### The private keys server\n\nRun the server setting a volume to your `~/.ssh` folder:\n\n```bash\ndocker run -p 172.17.0.1:14242:3000 -v ~/.ssh:/vault/.ssh dockito/vault\n```\n\n\u003e This ip may be different. Check out the \"How it works\" session to find out the right ip in case this one is not working for you.\n\nThere is also a `docker-compose.yml` file in this project, allowing you to run it (by cloning the project) with:\n\n```bash\ndocker-compose up vault\n```\n\nHappy codding!\n\n## Usage in runtime\n\nAlthough its main purpose is to fix the issue of building Docker images, it can also be used as a source of secrets for some running container:\n\n\n```bash\ndocker run -v ~/.ssh:/vault/.ssh --name vault dockito/vault\ndocker run --link vault image-with-onvault ONVAULT npm install --unsafe-perm\n```\n\n## Development\n\nBecause [NPM](http://npmjs.com/) dependencies are installed locally, the dependencies installed in the base-image won't be available in development time, so you will need to `npm install` them again:\n\n```\ngit clone https://github.com/dockito/vault.git\ncd vault\ndocker-compose run vault npm install\ndocker-compose up vault\n```\n\n## Drawbacks\n\nA Dockerfile using this technique requires the special **vault service** running. Meaning it is not possible to run any\nbuild process at the [Docker Hub](https://hub.docker.com/).\n\nAs the **vault service** is not running an `ssh-agent` (instead copying the contents of files), the password cannot be entered prior to execution.\n\n## Acknowledgements\n\nInitial implementation by [Paulo Ragonha](http://github.com/pirelenito). Based on the ideas of [Max Claus Nunes](http://github.com/maxcnunes/) and [Eduardo Nunes](https://github.com/esnunes).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockito%2Fvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdockito%2Fvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockito%2Fvault/lists"}