Plugin for Marathon that injects secrets stored in Vault via environment variables based on approle vault authorization.
Plugin uses vault approles both for itself (it knows how to renew its SecretId) and for fetching secrets for marathon applications.
Role names for marathon applications are formed as following: {role_prefix_from_config}-{app_id}.
app_id is by default a first segment of marathon app id.
You can change default app_id for any task by supplying custom mesos label.
Label name is configured by app_name_label option in plugin configuration.
For instance, when role_prefix is mesos and marathon app id is /my-doge-app/some-cmd, Vault approle for application will be mesos-my-doge-app.
You need to create roles in vault for you applications by yourself.
By default plugin injects all secrets defined in vault path: /{default_secrets_path_from_config}/{app_id}/* (but only one level deep, immediate children)
app_id is by default a first segment of marathon app id.
You can change default app_id for any task by supplying custom mesos label.
Label name is configured by app_name_label option in plugin configuration.
For instance, when default_secrets_path=mesos (in plugin config) and app_id=my-doge-app
then secrets defined in vault path /mesos/my-doge-app/passwords will be available as ENV variables $PASSWORDS_SOME_KEY_NAME, $PASSWORDS_OTHER_KEY_NAME, etc...
Ensure that approle for marathon application (you should create role yourself) has permissions to read these paths.
Plugin supports Marathon Secrets Api
The following example marathon.json fragment will read Vault path /secret/doge/wow, extract field password from that path and inject the field value into an environment variable named ENV_NAME:
{
"env": {
"ENV_NAME": {
"secret": "secret_ref"
}
},
"secrets": {
"secret_ref": {
"source": "/secret/doge/wow@password"
}
}
}Please consult the Start Marathon with plugins section of the official docs for a general overview of how plugins are enabled.
The plugin configuration JSON file will need to reference the Vault plugin as follows:
{
"plugins": {
"marathon-vault-plugin": {
"plugin": "mesosphere.marathon.plugin.task.RunSpecTaskProcessor",
"implementation": "io.funbox.marathon.plugin.vault.VaultEnvPlugin",
"configuration": {
"vault_url": "http://your-vault-url:8200",
// timeout in seconds for all vault api calls
"vault_timeout": 1,
"plugin_role_id": "plugin-role-id",
"plugin_secret_id": "plugin-secret-id",
// prefix for application roles
"role_prefix": "mesos",
"default_secrets_path": "/secret/mesos"
// optional: name of mesos label for custom app id
// app_name_label: "app"
}
}
}
}You will also need to start Marathon with the secrets feature being enabled. See Marathon command line flags for more details. In short, it can be enabled by
- specifying
--enable_features secretsin Marathon command line - specifying environment variable
MARATHON_ENABLE_FEATURES=secretswhen starting Marathon
In order to work plugin role needs permissions to read RoleIds and issue SecretIds for roles with your ROLE_PREFIX path (plugin config)
path "auth/approle/role/ROLE_PREFIX-*" {
capabilities = ["read", "update"]
}