Docker Image
Using environmental variable substitution with containerized environments
Docker Secrets Management
Features
Pass secret credentials from the Keeper Vault to Docker images
Build Docker Images with secret credentials from the Keeper Vault using build arguments
Copy files from the Keeper vault into Docker containers
For a complete list of Keeper Secrets Manager features see the Overview
Prerequisites
This page documents the Secrets Manager Docker Image b Actions integration. In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the Quick Start Guide for more details)
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
A Keeper Secrets Manager Application with secrets shared to it
See the Quick Start Guide for instructions on creating an Application
The Keeper Secrets Manager (KSM) CLI Tool
See instructions on setting up the KSM CLI here
About
The Secrets Manager CLI can be used to pull secrets from a Docker image at runtime, or it can be used by building it into the docker image. Several use cases are described in this document.
Example 1: Build an Image with Secrets using BuildKit
Secrets from the Keeper Vault can be built into a Docker container using Docker BuildKit. As of Docker 18.09 or later, image building supports the ability to pass secrets in via a mounted file system. As a simple example demonstrating this capability, we will be creating a user account in the destination image with a username and password from Keeper Secrets Manager.
Step 1: Set Environmental Variables with Keeper notation for the secrets that are needed. For more notation examples click here.
Step 2: Using the ksm exec
command, the Docker build is created with the 2 secrets (login and password). The --secret
parameters will pull values from the environmental variables that have been substituted with Keeper secrets.
Step 3: In the dockerfile, we will create a linux user account using useradd
and then set the password with chpasswd
. The Docker file is below:
In this example, each secret is mounted as a file. The 'dst' value specifies where you want to temporarily store the secret. Once the RUN command is finished, the temporary file will be removed and unmounted. You can either pass the file name as an argument or in this case we are using cat $(/path/to/secret)
to read the file contents into a variable.
Example 2: Build an Image with Secrets using Build Arguments
Similar to example 1, you can pass in secrets via the --build-arg
. This example will also demonstrate the ability of using secrets in a Docker build process.
Step 1: Set Environmental Variables with Keeper notation for the secrets that are needed. For more notation examples click here.
Step 2: Using the ksm exec
command, the Docker build is created with the 2 secrets (login and password). The flag --inline
processes the replacement of secrets. For example:
Step 3: In the dockerfile, we will create a linux user account using useradd
and then set the password with chpasswd
. The Docker file is below:
To prevent secrets being sent to stdout from the printenv
command, use the --null
option to remove the line feed.
Example 3: Using docker-compose to Build an Image with Secrets
In this example, we will use docker-compose to build an image. Docker-compose cannot populate build args from environment variables. To replace notation with secret values, the build args need to be set via the command line. Since the notation will be on the command line, the --inline replacement flag needs to be set.
Step 1: Create a simple docker-compose.yaml
file:
Step 2: Using the ksm exec
command, the Docker build is created with the 2 secrets (login and password). The flag --inline
processes the replacement of secrets. For example:
Step 3: In the dockerfile, we will create a linux user account using useradd
and then set the password with chpasswd
. The Docker file is below:
To prevent secrets being sent to stdout from the printenv
command, use the --null
option to remove the line feed.
Example 4: Copy files from vault to Docker Image
In this real world example, we copy an SSL certificate and passphrase from the Keeper Vault to a Tomcat container.
By default, the official Tomcat docker contains a default server configuration that does not have SSL enabled. We are going build a custom image that installs our server.xml, copies over the keystore file, and enables SSL. The server.xml file also contains the secret passphrase for the keystore file.
Step 1: Create a Keeper Secret Record
In the Keeper Vault, create a secret record that contains 2 file attachments: server.xml
and localhost-rsa.jks
as seen below:
Make note of the Record UID in the information dialog which will be used in the dockerfile. Click the Record UID to copy to your clipboard.
Step 2: Create the dockerfile
The below dockerfile example copies the server.xml and keystore files from the vault into the Tomcat folder.
Note that in this use case, ksm
is no longer needed after the build, so it is deleted.
Step 3: Create a shell script to execute the docker build
To execute the docker build the below script will pass in the Secrets Manager device configuration and Record UID that contains the secret files.
When the docker image is built, it will be fully configured with SSL, keystore file and passphrase that are managed by the Keeper Vault. 😃😃😃
Integration with Docker Compose
Keeper Secrets Manager supports direct integration with Docker Compose using the KSM Writer Docker image.
Learn more about the KSM Writer Docker image here.
Contribute to the Docker Image Examples
If you have some great examples to contribute to this page, please ping us on Slack or email sm@keepersecurity.com.
Last updated