Hi All, Im new in Vault
Wanna ask you about how injecting KV/Secrets or fetch the vault secret from docker compose in Application/DB docker compose so i just run docker-compose up on Application/DB to up the container
Thankyou!
It depends how your applications works.
You can use an Agent on your host and write a mounted volume to pass secrets.
can you share some articles or example?
let say im having this usecase : im deploying vault server (docker) + vault agent (docker) and im deploy 1 postgres DB (docker) that want to use KV/vault secret from vault
Sorry, I don’t understand why (and how ?) use the KV engine with PostgreSQL.
You must configure the database engine on your Vault.
If you rotate the root password with Vault, you can pass an initial root as env in your Dockerfile for PostgreSQL. You don’t care because it is going rotated.
And what is the purpose of the Agent in your usecase ?
can i get example for passing vault secret on mounted volume and use it on app docker compose?
Yes. Configure an AppRole engine on your Vault server.
Use an agent:
pid_file = "./pidfile"
vault {
address = "https://vault:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/my/app/role_id"
secret_id_file_path = "/my/app/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/my/mounted/volume/sink_file"
}
}
}
And in your docker-compose, you must have:
volumes:
- /my/mounted/volume/sink_file:/etc/my/app/sink_file
The sink file store the Token if you need the token in your app and your app makes API call with the Token.
Or, don’t write the sink file but use a Template to generate a file for you app.