/marathon-vault-plugin

marathon env plugin to handle secrets using hashicorp vault

Primary LanguageScalaApache License 2.0Apache-2.0

Marathon Vault Plugin

POC implementation of Marathon Secret API, it allows to expose secrets from Vault to Marathon ENV variables. See also dcos guide for more info.

Compatibility

Tested with Marathon v1.5.1.

Package

sbt test clean assembly

Following artifact will be builded target/scala-2.11/marathon-vault-plugin-assembly-0.1.0.jar

Installation

  1. Install vault using this package. Unseal it and add test key to developer/my-secret.
  2. Change and upload provided plugin-conf.json to marathon host. Put it to /etc/marathon/plugin-conf.json folder.
  3. Upload builded artifact to /etc/marathon/plugins/marathon-vault-plugin-assembly-0.1.0.jar
  4. Provide following options to marathon config:
   --plugin_dir "/etc/marathon/plugins" \
   --plugin_conf "/etc/marathon/plugin-conf.json" \
   --enable_features "secrets,..."

/etc/systemd/system/dcos-marathon.service is one of possible candidate to look for marathon config.

  1. Restart marathon to load plugin.
  2. Deploy test container
{
  "id":"/developer/service",
  "cmd":"sleep 100",
  "env":{
     "MY_SECRET":{
        "secret":"secret0"
     }
  },
  "secrets":{
     "secret0":{
        "source":"developer/my-secret"
     }
  }
}

Kudos

Based on blackgold/marathon-vault-plugin and servehub/marathon-secrets-plugin.

See also blackgold blog post for more info.