我在本地测试环境中使用这个Vault docker映像。但它只在内存中存储所有的秘密。因此,如果我重新启动计算机,那么我所有的测试秘密都会消失,我每次都要手动重新创建它们。我该如何解决这个问题?
我的.env文件:
COMPOSE_PROJECT_NAME=vault
VAULT_DEV_ROOT_TOKEN_ID=myroot
VAULT_ADDR=http://127.0.0.1:8200
我的docker-compose.yml文件:
version: "3.8"
services:
vault:
env_file:
- .env
networks:
- public
image: vault
restart: unless-stopped
ports:
- 8200:8200
cap_add:
- IPC_LOCK
container_name: "${TARGET_ENVIRONMENT}_${COMPOSE_PROJECT_NAME}_vault"
volumes:
- vault-logs:/vault/logs
- vault-file:/vault/file
labels:
- "traefik.enable=true"
- "traefik.http.routers.vault.service=vault"
- "traefik.http.routers.vault.entrypoints=https"
- "traefik.http.routers.vault.rule=Host(`vault.${HOST_URL}`)"
- "traefik.http.routers.vault.tls=true"
- "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
- "traefik.http.services.vault.loadbalancer.server.port=8200"
volumes:
vault-logs:
vault-file:
networks:
public:
external: true
vault二进制的帮助说:
-dev
Enable development mode. In this mode, Vault runs in-memory and starts
unsealed. As the name implies, do not run "dev" mode in production. The
default is false.
在-dev模式下不支持其他秘密后端。如果需要数据持久性,则应该部署完整的保险库实例。也许是使用本地file后端来存储数据的最简单的方法:
backend "file" {
path = "/path/to/a/file/in/a/docker/volume"
}
此解决方案中最复杂的部分将是解封操作的实现,除非您可以访问存储此类密钥的云提供商。