Skip to content
This repository has been archived by the owner on Mar 23, 2019. It is now read-only.

Implement vault and secrets #618

Closed
chouseknecht opened this issue Jun 22, 2017 · 6 comments
Closed

Implement vault and secrets #618

chouseknecht opened this issue Jun 22, 2017 · 6 comments
Assignees
@ryansb @chouseknecht
Labels
enhancement

Comments

@chouseknecht
Copy link
Contributor

chouseknecht commented Jun 22, 2017
edited
Loading

@ehelms, @ryansb

This is to track the progress, and facilitate further discussion, as we implement vault and secrets.

The proposal for implementing vault and secrets lives here.

@ehelms has agreed to take on the Ansible Container changes. @ryansb is working on upgrading the docker_service module, and @chouseknecht is working on creating a docker_secret module.
@chouseknecht chouseknecht mentioned this issue Jun 22, 2017
Merged
@chouseknecht
Copy link
Contributor Author

The docker_secret module is finally ready. The delay was getting integration tests working for Docker modules in general. Thanks to the handy work of @mattclay we now have tests for the new module, and we'll be able to add tests for the others.

PR #26469 containing the new module was merged.

@chouseknecht
Copy link
Contributor Author

The code for generating Docker compose with secrets is complete. At least, it generates a playbook that works using the docker_secret and docker_service modules, and ansible-container run will successfully launch a test application. However, I'm not yet able to get an external secret to actually manifest in the running container. It should appear under /run/secrets.

@chouseknecht
Copy link
Contributor Author

chouseknecht commented Jul 19, 2017
edited
Loading

Figured out why compose is not mounting secrets to a running container. Turns out docker-compose up does not support external secrets. I took the generated compose from the deployment playbook, attempted a manual run, and got the following:

$ docker-compose up

WARNING: Service "web" uses secret "web_secret_password" which is external. External secrets are not available to containers created by docker-compose.

Apparently this only works with docker stack deploy, which is not part of the docker_service module.

@chouseknecht
Copy link
Contributor Author

In the spirit of docker compose #4368, which fakes secrets by bind mounting files, I added code that fakes external secrets by using a named volume. It's not glamorous, but it works.

@ehelms, can you have a look, and give it a thumbs up or down. Thanks!

@chouseknecht
Copy link
Contributor Author

Merged new docker_volume module to ansible. Using it when the destroy tag is invoked on the playbook generated by the docker engine.

@chouseknecht
Copy link
Contributor Author

Closed by #665

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ryansb ryansb

@chouseknecht chouseknecht

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryansb @chouseknecht