Using Vault with docker-compose file

Question

Currently I am using docker-compose file to setup my dev/prod environments. I am using environment variables to store secrets, database credentials etc. After some search, I found out that Vault can be used to secure the credentials. I tried couple of basic examples with vault, but still I have no idea of how to use Vault with a docker-compose file. Can someone point me to a correct way. If Vault is not a good solution with docker-compose, what are the mechanisms I could use to secure credentials rather than storing them in environment as plain text.

Answer 1

This is my current docker-compose config for using Vault in dev, but I use dedicated servers (not Docker) in production.

# docker_compose.yml version: '2' services:     myvault:         image: vault         container_name: myvault         ports:           - "127.0.0.1:8200:8200"         volumes:           - ./file:/vault/file:rw           - ./config:/vault/config:rw         cap_add:           - IPC_LOCK         entrypoint: vault server -config=/vault/config/vault.json 

The volume mounts ensure the vault config is saved if you have to rebuild the container.

To use the 'file' backend, to make this setup portable for Docker/Git, you will also need to create a directory called config and put this file into it, named vault.json:

# config/vault.json {   "backend": {"file": {"path": "/vault/file"}},   "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}},   "default_lease_ttl": "168h",   "max_lease_ttl": "0h" } 

Notes:
Although the ROOT_TOKEN is static in this configuration (will not change between container builds), any generated VAULT_TOKEN issued for an app_role will be invalidated every time the vault has to be unsealed.

I have found the Vault sometimes becomes sealed when the container is restarted.