4

I use this Vault docker image for my local test environment. But it stores all secrets in memory only. Therefore, if I restart my computer then all my test secrets desappear and I am to recreate they manually each time. How can I solve the problem?

My .env file:

COMPOSE_PROJECT_NAME=vault
VAULT_DEV_ROOT_TOKEN_ID=myroot
VAULT_ADDR=http://127.0.0.1:8200

My docker-compose.yml file:

version: "3.8"
services:
    vault:
        env_file:
            - .env
        networks:
            - public
        image: vault
        restart: unless-stopped
        ports:
            - 8200:8200
        cap_add:
            - IPC_LOCK            
        container_name: "${TARGET_ENVIRONMENT}_${COMPOSE_PROJECT_NAME}_vault"
        volumes:
            - vault-logs:/vault/logs
            - vault-file:/vault/file
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.vault.service=vault"
            - "traefik.http.routers.vault.entrypoints=https"
            - "traefik.http.routers.vault.rule=Host(`vault.${HOST_URL}`)"
            - "traefik.http.routers.vault.tls=true"
            - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
            - "traefik.http.services.vault.loadbalancer.server.port=8200"
volumes:
    vault-logs: 
    vault-file:
networks:
    public:
        external: true
Andrey Bushman
  • 11,712
  • 17
  • 87
  • 182
  • This is very irritating when running vault locally in kubernetes. Forcing you to setup a "real" environment... – Philip Apr 22 '22 at 07:52

1 Answers1

1

The help of the vault binary says:

  -dev
      Enable development mode. In this mode, Vault runs in-memory and starts
      unsealed. As the name implies, do not run "dev" mode in production. The
      default is false.

No other secret backend is supported in -dev mode. If you need data persistence you should deploy a full vault instance. Maybe just the simplest one that uses a local file backend to store the data:

backend "file" {
  path = "/path/to/a/file/in/a/docker/volume"
}

The most complex part of this solution will be the implementation of the unsealing operations unless you have access to a cloud provider where to stock such keys.

Davide Madrisan
  • 1,969
  • 2
  • 14
  • 22