Skip to content
/ gblog Public

docker compose: ghost + postgres + nginx w/ vault creds

4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tolitius/gblog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
config
config
 
 
tools
tools
 
 
.env
.env
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Stands up a Ghost blog along with PostgreSQL. Both will have data mounted locally (i.e. outside of their containers).

Ok, another blog image, so what!?

The real kicker here though is Vault.

PostgreSQL credentials are securely written to Vault, and passed on to the docker container via a temporary Vault token (i.e. Response Wrapping).

The Vault capability is plugged in to gblog via psql-vault.

Show me

Starting Vault

docker run --name=dev-vault -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' -p 8200:8200 -d vault
docker logs dev-vault

will show the vault's logs:

export VAULT_ADDR='http://0.0.0.0:8200'

...

Root Token: 75de9b20-16fa-5a1e-2e9a-39c86caef504

we would need 2 pieces of data from the above, to export a root token and a host address:

export VAULT_TOKEN=75de9b20-16fa-5a1e-2e9a-39c86caef504
export VAULT_ADDR='http://127.0.0.1:8200'

In production this would be done on a different machine (or potentially a Vault cluster) and with more unseal keys, etc..

Clone, Configure, Run

git clone https://github.com/tolitius/gblog
cd gblog

One step config

Open .env file, and since Vault is running on the same host in this case, set VAULT_HOST to the host IP.

if you are unsure what your host IP is, just ask

./tools/what-is-my-host-ip.sh
192.168.1.12                    ## this is an example output, your IP most likely will be different

Pretending 192.168.1.12 is your host IP, a VAULT_HOST would look like:

VAULT_HOST=192.168.1.12

Write creds to Vault

./tools/vault/vault-write.sh /secret/postgres config/creds

At this point the file ./config/creds can be deleted. The reason we did it via file (rather than providing creds in clear) is not to leave creds traces in bash/shell history.

You can check whether the creds were successfully written to Vault:

./tools/vault/vault-read.sh /secret/postgres
{"ghost-pass": "CHANGE-ME-TOO-ghost-pass",
 "ghost-user": "ghost",
 "root-pass": "CHANGE-ME-root-pass",
 "root-user": "postgres"}

NOTE: for these vault scripts to work you would need jq (i.e. to parse JSON responses from Vault).

brew install jq or apt-get install jq or similar

Running it

export ACCESS_TOKEN=$(./tools/vault/wrap-token.sh /secret/postgres); docker-compose up

notice we are using Vault to create a temp token (wrapping our "secret") that is passed to docker containers.

Ghost running on PostgreSQL is up and ready for you: http://localhost:2368/

Ghost creds are still in clear!?

Yes, I know, and opened an issue which, once solved, will allow to read Ghost creds from Vault as well.

What's next

nginx will follow...

License

Copyright © 2016 tolitius

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.

About

docker compose: ghost + postgres + nginx w/ vault creds

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages