feature: Support reading tokens from file so tokens can be stored safely in docker secrets
brofids opened this issue · comments
✨ Describe the feature you'd like
Hi, I'm trying to run vault-unseal as container in my docker swarm instance.
Then I realize to make it work I need to store my tokens in unencrypted format inside the vault-unseal.yaml
file in the host.
I think it would be very nice if the vault-unseal support reading token list from separate file, so I can then use docker secrets to store my tokens securely.
🌧 Is your feature request related to a problem?
No response
🔎 Describe alternatives you've considered
--
⚠ If implemented, do you think this feature will be a breaking change to users?
Yes
⚙ Additional context
To make my approach of using vault-unseal clearer, here is the example.
First I create new secret containing the tokens:
echo "aaaaaaaaaaaaaaaaaa,bbbbbbbbbbbbbbb" | docker secret create vault_unseal_tokens_a_b -
Then I can use the stack compose script below to easily spawn new vault-unseal node:
version: '3.8'
services:
vault_unseal_1:
image: ghcr.io/lrstanley/vault-unseal:latest
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
environment:
- CONFIG_PATH=/vault_unseal_config
- TOKENS__FILE=/run/secrets/unseal_tokens
networks:
- vault-unseal-network
configs:
- source: vault_unseal_config
mode: 0400
secrets:
- unseal_tokens
networks:
vault-unseal-network:
name: "vault_unseal_network"
configs:
vault_unseal_config:
name: "vault_unseal_conf_v1"
external: true
secrets:
unseal_tokens:
name: "vault_unseal_tokens_a_b"
external: true
🤝 Requirements
- I have confirmed that someone else has not submitted a similar feature request.
- If implemented, I believe this feature will help others, in addition to solving my problems.
- I have looked into alternative solutions to the best of my ability.
- (optional) I would be willing to contribute to testing this feature if implemented, or making a PR to implement this functionality.