代码之家 › 专栏 › 技术社区 › Andrey Bushman

是否可以在开发模式下不使用“内存中”存储来存储Vault?

vault hashicorp-vault docker-compose docker

0

Andrey Bushman · 技术社区 · 3 年前

我的 .env

COMPOSE_PROJECT_NAME=vault
VAULT_DEV_ROOT_TOKEN_ID=myroot
VAULT_ADDR=http://127.0.0.1:8200

我的 docker-compose.yml

version: "3.8"
services:
    vault:
        env_file:
            - .env
        networks:
            - public
        image: vault
        restart: unless-stopped
        ports:
            - 8200:8200
        cap_add:
            - IPC_LOCK            
        container_name: "${TARGET_ENVIRONMENT}_${COMPOSE_PROJECT_NAME}_vault"
        volumes:
            - vault-logs:/vault/logs
            - vault-file:/vault/file
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.vault.service=vault"
            - "traefik.http.routers.vault.entrypoints=https"
            - "traefik.http.routers.vault.rule=Host(`vault.${HOST_URL}`)"
            - "traefik.http.routers.vault.tls=true"
            - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
            - "traefik.http.services.vault.loadbalancer.server.port=8200"
volumes:
    vault-logs: 
    vault-file:
networks:
    public:
        external: true

0 回复 | 直到 3 年前

1

0

Davide Madrisan 3 年前

在政府的帮助下 vault binary说:

  -dev
      Enable development mode. In this mode, Vault runs in-memory and starts
      unsealed. As the name implies, do not run "dev" mode in production. The
      default is false.

-dev 模式如果需要数据持久性,则应部署完整的vault实例。也许是最简单的一种,使用本地 file 用于存储数据的后端:

backend "file" {
  path = "/path/to/a/file/in/a/docker/volume"
}

这个解决方案中最复杂的部分是解封操作的实现,除非您可以访问云提供商 where to stock