Stands up a Ghost blog along with PostgreSQL. Both will have data mounted locally (i.e. outside of their containers).
The real kicker here though is Vault.
PostgreSQL credentials are securely written to Vault, and passed on to the docker container via a temporary Vault token (i.e. Response Wrapping).
The Vault capability is plugged in to gblog
via psql-vault.
docker run --name=dev-vault -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' -p 8200:8200 -d vault
docker logs dev-vault
will show the vault's logs:
export VAULT_ADDR='http://0.0.0.0:8200'
...
Root Token: 75de9b20-16fa-5a1e-2e9a-39c86caef504
we would need 2 pieces of data from the above, to export a root token and a host address:
export VAULT_TOKEN=75de9b20-16fa-5a1e-2e9a-39c86caef504
export VAULT_ADDR='http://127.0.0.1:8200'
In production this would be done on a different machine (or potentially a Vault cluster) and with more unseal keys, etc..
git clone https://github.com/tolitius/gblog
cd gblog
Open .env
file, and since Vault is running on the same host in this case, set VAULT_HOST
to the host IP.
if you are unsure what your host IP is, just ask
./tools/what-is-my-host-ip.sh
192.168.1.12 ## this is an example output, your IP most likely will be different
Pretending 192.168.1.12
is your host IP, a VAULT_HOST
would look like:
VAULT_HOST=192.168.1.12
./tools/vault/vault-write.sh /secret/postgres config/creds
At this point the file ./config/creds
can be deleted.
The reason we did it via file (rather than providing creds in clear) is not to leave creds traces in bash/shell history.
You can check whether the creds were successfully written to Vault:
./tools/vault/vault-read.sh /secret/postgres
{"ghost-pass": "CHANGE-ME-TOO-ghost-pass",
"ghost-user": "ghost",
"root-pass": "CHANGE-ME-root-pass",
"root-user": "postgres"}
NOTE: for these vault scripts to work you would need jq (i.e. to parse JSON responses from Vault).
brew install jq
orapt-get install jq
or similar
export ACCESS_TOKEN=$(./tools/vault/wrap-token.sh /secret/postgres); docker-compose up
notice we are using Vault to create a temp token (wrapping our "secret") that is passed to docker containers.
Ghost running on PostgreSQL is up and ready for you: http://localhost:2368/
Yes, I know, and opened an issue which, once solved, will allow to read Ghost creds from Vault as well.
nginx will follow...
Copyright © 2016 tolitius
Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.