Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/crazy-canux/docker-plugin-vault
https://github.com/crazy-canux/docker-plugin-vault
docker-plugin secret vault
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/crazy-canux/docker-plugin-vault
- Owner: crazy-canux
- Created: 2021-11-10T10:01:22.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-10-26T06:53:26.000Z (about 1 year ago)
- Last Synced: 2024-04-16T04:22:47.567Z (8 months ago)
- Topics: docker-plugin, secret, vault
- Language: Go
- Homepage:
- Size: 40 KB
- Stars: 2
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# docker plugin vault
docker secret plugin for vault provider.
## how to build docker plugin
make clean
make create
make push## how to install plugin
install and setup token, enabled by default:docker plugin install --grant-all-permissions canux--dev.harbor.com/docker-plugin-vault:1.0.0 VAULT_TOKEN=your-token
setup token if renew:
docker plugin disable canux--dev.harbor.com/docker-plugin-vault:1.0.0
docker plugin set canux--dev.harbor.com/docker-plugin-vault:1.0.0 VAULT_TOKEN=your-token
docker plugin enable canux--dev.harbor.com/docker-plugin-vault:1.0.0## design
原来设计:
1. 通过一个service来传递token给plugin,这样token是安全的。但是要额外创建一个service,并且创建一个token的secret。
2. plugin自己创建token,并给每个secret创建对应的policy。1.0.0实现:
1. 通过环境变量传递token,docker plugin inspect能看到token,不安全。
2. 只能通过field,path,version在docker stack deploy的时候创建token。
3. 不需要创建token和policy。1.1.0实现:
1. 给vault token创建一个secret
2. 通过secret获取token## how to debug plugin
docker以debug模式启动
"debug": true
查看logjournalctl -f -u docker.service
cd /run/docker/plugins/$your_plugin_id
cat < init-stdout
cat < init-stderr
## how to useuse it in compose file
secrets:
haproxy:
driver: canux--dev.harbor.com/docker-plugin-vault:0.0.1
labels:
docker.plugin.secretprovider.vault.path: canux/data/pki
docker.plugin.secretprovider.vault.field: "*.canuxcheng.com"