concourse secret sharing does not fully define how to configure vault

Question

i am following the instructions here for how to configure vault for sharing secrets.

ultimately i just want to get my bot's creds to git resources.

i am deploying via docker compose, and have successfully added a vault server to compose.

• where do i run the concourse atc commands? atc is not a valid command off of the concourse binary found in the concourse/concourse images
• can get away from needing this separate secret service entirely if i just put some creds in a file on my box somewhere? if not, can i run it over http vs https? its all in a trusted environment already

thanks!

Answer 1

Sorry about that! It looks like our documentation was incorrect.

Those should all say

concourse web --vault-url ...

If you're running via docker-compose then you should set the appropriate environment variables in your web instance, e.g. $CONCOURSE_VAULT_URL or $CONCOURSE_VAULT_CLIENT_TOKEN.

If you ever need to know what parameters can be configured, you can always run docker run concourse/concourse web --help or docker run concourse/concourse worker --help.

Answer 2

I created a boilerplate we pre-configured vault support at https://github.com/EugenMayer/concourseci-server-boilerplate the most interesting part on how to setup vault support is part of the configurator

https://github.com/EugenMayer/docker-image-concourse-configurator/blob/master/bin/vault_init.sh

and since client-cert auth is used, also https://github.com/EugenMayer/docker-image-concourse-configurator/blob/master/bin/vault_client_cert.sh

You see proper examples on how to store values at https://github.com/EugenMayer/concourseci-server-boilerplate/blob/master/run_vault_test.sh

I am aware, i am linking external sources here, but this topic is way to broad to be answered inline. I posted this just as a reference for anybody looking for further examples - since i did not find a single one for myself