search

lrstanley / vault-unseal

auto-unseal utility for Hashicorp Vault
MIT License
238 stars 32 forks source link

feature: Support reading tokens from file so tokens can be stored safely in docker secrets #48

Open brofids opened 7 months ago

brofids commented 7 months ago

āœØ Describe the feature you'd like

Hi, I'm trying to run vault-unseal as container in my docker swarm instance. Then I realize to make it work I need to store my tokens in unencrypted format inside the vault-unseal.yaml file in the host.

I think it would be very nice if the vault-unseal support reading token list from separate file, so I can then use docker secrets to store my tokens securely.

šŸŒ§ Is your feature request related to a problem?

No response

šŸ”Ž Describe alternatives you've considered

--

āš  If implemented, do you think this feature will be a breaking change to users?

Yes

āš™ Additional context

To make my approach of using vault-unseal clearer, here is the example.

First I create new secret containing the tokens: echo "aaaaaaaaaaaaaaaaaa,bbbbbbbbbbbbbbb" | docker secret create vault_unseal_tokens_a_b -

Then I can use the stack compose script below to easily spawn new vault-unseal node:

version: '3.8'
services:
  vault_unseal_1:
    image: ghcr.io/lrstanley/vault-unseal:latest
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    environment:
      - CONFIG_PATH=/vault_unseal_config
      - TOKENS__FILE=/run/secrets/unseal_tokens
    networks:
      - vault-unseal-network
    configs:
      - source: vault_unseal_config
        mode: 0400
    secrets:
      - unseal_tokens

networks:
  vault-unseal-network:
    name: "vault_unseal_network"

configs:
  vault_unseal_config:
    name: "vault_unseal_conf_v1"
    external: true

secrets:
  unseal_tokens:
    name: "vault_unseal_tokens_a_b"
    external: true

šŸ¤ Requirements