0

尝试使用 HTTP API 从 HashiCorps Vault 获取秘密到 dockerfile 内的环境变量中。需要从私有 git 存储库下载文件的秘密。

Dockerfile相关部分

FROM debian:jessie

ENV REPOSITORY_LOCAL_IP 192.168.1.x
ENV REPOSITORY_PORT 20080
ENV REPOSITORY_USER root

ENV PRIVATE_TOKEN "$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')"

RUN apt install curl jq -y && \
    wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

docker-compose.yml相关部分

version: '2'
services:
  hhvm_dev:
    build:
      dockerfile: image.df
      context: ./images/.
    user: user
    restart: always
    stdin_open: true
    tty: true
    working_dir: /etc/image
    ports:
      - "80"

运行docker-compose build返回以下输出:

converted 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl -s -H X-Vault-Token: xxx-token-xxx -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value')' (UTF-8)
--2016-11-02 12:07:41--  http://192.168.1.x:20080/root/repository/blob/master/files/file.conf?private_token=$(curl%20-s%20-H%20X-Vault-Token:%xxx-token-xxx%20-X%20GET%20http://192.168.1.x:8200/v1/secret/private-token%20%7C%20jq%20-r%20'.data.value')
Connecting to 192.168.1.x:20080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://192.168.1.x:20080/users/sign_in [following]
converted 'http://192.168.1.x:20080/users/sign_in' (ANSI_X3.4-1968) -> 'http://192.168.1.x:20080/users/sign_in' (UTF-8)
--2016-11-02 12:07:41--  http://192.168.1.x:20080/users/sign_in
Reusing existing connection to 192.168.1.x:20080.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/scripts/file.sh'

     0K ........                                               6.17M=0.001s

2016-11-02 12:07:42 (6.17 MB/s) - '/scripts/file.sh' saved [8270]

看起来PRIVATE_TOKEN没有在指定位置设置。它只是从私有存储库下载登录页面。

4

1 回答 1

0

Docker 不会用 shell 解释“ENV”,它只是设置文字字符串,并对您可能包含的任何 docker args 进行一些解析。在 RUN 命令中,环境变量被扩展为字符串,但没有第二次评估以运行它包含的命令。将 PRIVATE_TOKEN 的 curl 放入 RUN 命令中,类似于以下未经测试的代码:

RUN export PRIVATE_TOKEN=$(curl -s -H "X-Vault-Token: xxx" -X GET http://192.168.1.x:8200/v1/secret/private-token | jq -r '.data.value') \
 && apt install curl jq -y \
 && wget http://"$REPOSITORY_LOCAL_IP":"$REPOSITORY_PORT"/"$REPOSITORY_USER"/repository/blob/master/files/file.conf?private_token="$PRIVATE_TOKEN"

请注意,使用这种设计,PRIVATE_TOKEN 将只存在于您的一个 RUN 命令中,因此您以后将无法重用它。

于 2016-11-02T13:07:35.190 回答