Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/crazy-canux/docker-plugin-vault


https://github.com/crazy-canux/docker-plugin-vault

docker-plugin secret vault

Last synced: 2 days ago
JSON representation

Awesome Lists containing this project

README 

        
# docker plugin vault



docker secret plugin for vault provider.



## how to build docker plugin



    make clean

    make create

    make push



## how to install plugin

 

install and setup token, enabled by default:



    docker plugin install --grant-all-permissions canux--dev.harbor.com/docker-plugin-vault:1.0.0 VAULT_TOKEN=your-token



setup token if renew:



    docker plugin disable canux--dev.harbor.com/docker-plugin-vault:1.0.0

    docker plugin set canux--dev.harbor.com/docker-plugin-vault:1.0.0 VAULT_TOKEN=your-token

    docker plugin enable canux--dev.harbor.com/docker-plugin-vault:1.0.0



## design



原来设计:



1. 通过一个service来传递token给plugin,这样token是安全的。但是要额外创建一个service,并且创建一个token的secret。

2. plugin自己创建token,并给每个secret创建对应的policy。



1.0.0实现:



1. 通过环境变量传递token,docker plugin inspect能看到token,不安全。

2. 只能通过field,path,version在docker stack deploy的时候创建token。

3. 不需要创建token和policy。



1.1.0实现:



1. 给vault token创建一个secret

2. 通过secret获取token



## how to debug plugin



docker以debug模式启动



    "debug": true

    

查看log



    journalctl -f -u docker.service

    

    cd /run/docker/plugins/$your_plugin_id

    cat < init-stdout

    cat < init-stderr

    

## how to use 



use it in compose file



    secrets:

      haproxy:

        driver: canux--dev.harbor.com/docker-plugin-vault:0.0.1

        labels:

          docker.plugin.secretprovider.vault.path: canux/data/pki

          docker.plugin.secretprovider.vault.field: "*.canuxcheng.com"