POC implementation of Marathon Secret API, it allows to expose secrets from Vault to Marathon ENV variables. See also dcos guide for more info.
Tested with Marathon v1.5.1.
sbt test clean assembly
Following artifact will be builded
target/scala-2.11/marathon-vault-plugin-assembly-0.1.0.jar
- Install vault using this package. Unseal it and add test key to
developer/my-secret
. - Change and upload provided plugin-conf.json to marathon host. Put it to
/etc/marathon/plugin-conf.json
folder. - Upload builded artifact to
/etc/marathon/plugins/marathon-vault-plugin-assembly-0.1.0.jar
- Provide following options to marathon config:
--plugin_dir "/etc/marathon/plugins" \
--plugin_conf "/etc/marathon/plugin-conf.json" \
--enable_features "secrets,..."
/etc/systemd/system/dcos-marathon.service
is one of possible candidate to look for marathon config.
- Restart marathon to load plugin.
- Deploy test container
{
"id":"/developer/service",
"cmd":"sleep 100",
"env":{
"MY_SECRET":{
"secret":"secret0"
}
},
"secrets":{
"secret0":{
"source":"developer/my-secret"
}
}
}
Based on blackgold/marathon-vault-plugin and servehub/marathon-secrets-plugin.
See also blackgold blog post for more info.