[Tutorial][Proof-of-Concept] You can use docker init Containers to provision your Vault container within your compose file

Docker Init Container in Compose

NOTE: this feature is similar to Kubernetes Init Containers, which is available for
Docker Compose since version 1.29.

The Init Container can initialize your container by using the depends_on spec. Depending on the intialization process, you can set three conditions of the container’s state you wish to initialize:

• service_started
• service_healthy
• service_completed_sucessfully

Unfortunately, this feature is yet to be documented. However, some resources to look into:

1. Feature Request Issue on Docker Compose
2. Pending Pull-Request for Documentation of Init Containers
3. StackExchange Query with a possible example

Vault local configuration setup

I had some relative success with the undocumented feature of Docker init containers with other containers namely, InfluxDB and Mosquitto MQTT broker and decided to set test the waters more by setting the local config file in /vault/config/ as mentioned in the docs for Vault.

NOTE : this is not production-ready code just a proof of concept

docker-compose.yml

volumes:

  # Use this volume to mount the configuration file into the Vault container

  vault-init-config:

services:

  vault:

    image: vault:1.10.0

    container_name: vault

    hostname: vault

    command: server

    environment:

      - VAULT_ADDR=http://vault:8200

      - VAULT_CONFIG_DIR=/vault/config

      - VAULT_UI=true

    depends_on:

      vault-init:

        condition: service_started # Let the init container create the config file first

    volumes:

      - vault-init-config:/vault/config # Share the created config file from init container

    ports:

      - "127.0.0.1:8200:8200"

    cap_add:

      - "IPC_LOCK"

 

  vault-init:

    image: vault:1.10.0

    container_name: vault-init-container

    command: |

      sh -c '/vault-config-init.sh'

    volumes:

      - ./scripts/vault-config-init.sh:/vault-config-init.sh

      - vault-init-config:/vault/config

The init container will create a config.hcl within the /vault/config directory of the vault-init container. This file will be needed in the main vault container, and this is made available through the shared volume vault-init-config

scripts/vault-config-init.sh

#!/usr/bin/dumb-init /bin/sh
set -e

echo "Setting VAULT_LOCAL_CONFIG"

DEFAULT_VAULT_LOCAL_CONFIG='
listener "tcp" { 
              address = "vault:8200" 
              tls_disable = "1" 
              cluster_address = "vault:8201" 
          } 
          backend "file" {
              path = "/vault/file"
          } 
          default_lease_ttl = "168h" 
          max_lease_ttl = "720h"
'

VAULT_LOCAL_CONFIG=${VAULT_LOCAL_CONFIG:-$DEFAULT_VAULT_LOCAL_CONFIG}

export VAULT_LOCAL_CONFIG

echo "$(date) VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}"

echo ${VAULT_LOCAL_CONFIG} > /vault/config/config.hcl

Usage

Upon execution of docker compose up the logs show the following:

vault-init-container  | Setting VAULT_LOCAL_CONFIG
vault-init-container  | Thu Apr 14 08:59:19 UTC 2022 VAULT_LOCAL_CONFIG:
vault-init-container  | listener "tcp" {
vault-init-container  |               address = "vault:8200"
vault-init-container  |               tls_disable = "1"
vault-init-container  |               cluster_address = "vault:8201"
vault-init-container  |           }
vault-init-container  |           backend "file" {
vault-init-container  |               path = "/vault/file"
vault-init-container  |           }
vault-init-container  |           default_lease_ttl = "168h"
vault-init-container  |           max_lease_ttl = "720h"
vault-init-container  |
vault-init-container exited with code 0
vault                 | ==> Vault server configuration:
vault                 |
vault                 |                      Cgo: disabled
vault                 |               Go Version: go1.17.7
vault                 |               Listener 1: tcp (addr: "vault:8200", cluster address: "vault:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
vault                 |                Log Level: info
vault                 |                    Mlock: supported: true, enabled: true
vault                 |            Recovery Mode: false
vault                 |                  Storage: file
vault                 |                  Version: Vault v1.10.0
vault                 |              Version Sha: 7738ec5d0d6f5bf94a809ee0f6ff0142cfa525a6
vault                 |
vault                 | ==> Vault server started! Log data will stream in below:
vault                 |
vault                 | 2022-04-14T08:59:21.054Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
vault                 | 2022-04-14T08:59:21.054Z [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
vault                 | 2022-04-14T08:59:21.073Z [INFO]  core: Initializing versionTimestamps for core

NOTE: I am just a newbie in Vault, but I have good understanding of docker and compose so I hope this might be a valuable find.

stack down with volume purge:

docker compose down --volumes

I will document it as GitHub Repository for better usage

EDIT: Standalone GitHub Repository

Any feedback, suggestions, criticisms welcome!