Skip to content

Vault

Since testcontainers-go v0.20.0

Introduction

The Testcontainers module for Vault. Vault is an open-source tool designed for securely storing, accessing, and managing secrets and sensitive data such as passwords, certificates, API keys, and other confidential information.

Adding this module to your project dependencies

Please run the following command to add the Vault module to your Go dependencies:

go get github.com/testcontainers/testcontainers-go/modules/vault

Usage example

The RunWithImage function is the main entry point to create a new VaultContainer instance. It takes a context and zero or more Option values to configure the container.

    ctx := context.Background()

    vaultContainer, err := vault.Run(ctx, "hashicorp/vault:1.13.0")
    defer func() {
        if err := testcontainers.TerminateContainer(vaultContainer); err != nil {
            log.Printf("failed to terminate container: %s", err)
        }
    }()
    if err != nil {
        log.Printf("failed to start container: %s", err)
        return
    }

 ⋯

    ctx := context.Background()

    vaultContainer, err := vault.Run(ctx, "hashicorp/vault:1.13.0", vault.WithToken("MyToKeN"))
    defer func() {
        if err := testcontainers.TerminateContainer(vaultContainer); err != nil {
            log.Printf("failed to terminate container: %s", err)
        }
    }()
    if err != nil {
        log.Printf("failed to start container: %s", err)
        return
    }

 ⋯

    ctx := context.Background()

    vaultContainer, err := vault.Run(ctx, "hashicorp/vault:1.13.0", vault.WithToken("MyToKeN"), vault.WithInitCommand(
        "auth enable approle",                         // Enable the approle auth method
        "secrets disable secret",                      // Disable the default secret engine
        "secrets enable -version=1 -path=secret kv",   // Enable the kv secret engine at version 1
        "write --force auth/approle/role/myrole",      // Create a role
        "write secret/testing top_secret=password123", // Create a secret
    ))
    defer func() {
        if err := testcontainers.TerminateContainer(vaultContainer); err != nil {
            log.Printf("failed to terminate container: %s", err)
        }
    }()
    if err != nil {
        log.Printf("failed to start container: %s", err)
        return
    }

Use CLI to read data from Vault container:

exec, reader, err := vaultContainer.Exec(ctx, []string{"vault", "kv", "get", "-format=json", "secret/test1"})

The vaultContainer is the container instance obtained from RunWithImage.

Use HTTP API to read data from Vault container:

request, _ := http.NewRequest(http.MethodGet, hostAddress+"/v1/secret/data/test1", nil)
request.Header.Add("X-Vault-Token", token)

response, err := http.DefaultClient.Do(request)

The hostAddress is obtained from the container instance. Please see here for more details.

Use client library to read data from Vault container:

Add Vault Client module to your Go dependencies:

go get -u github.com/hashicorp/vault-client-go

client, err := vaultClient.New(
    vaultClient.WithAddress(hostAddress),
    vaultClient.WithRequestTimeout(30*time.Second),
)
require.NoError(t, err)

err = client.SetToken(token)
require.NoError(t, err)

s, err := client.Secrets.KvV2Read(ctx, "test1", vaultClient.WithMountPath("secret"))

Module Reference

Run function

Info

The RunContainer(ctx, opts...) function is deprecated and will be removed in the next major release of Testcontainers for Go.

The Vault module exposes one entrypoint function to create the container, and this function receives three parameters:

func Run(ctx context.Context, img string, opts ...testcontainers.ContainerCustomizer) (*VaultContainer, error)
  • context.Context, the Go context.
  • string, the Docker image to use.
  • testcontainers.ContainerCustomizer, a variadic argument for passing options.

Container Options

When starting the Vault container, you can pass options in a variadic way to configure it.

Image

Use the second argument in the Run function to set a valid Docker image. In example: Run(context.Background(), "hashicorp/vault:1.13.0").

Image Substitutions

In more locked down / secured environments, it can be problematic to pull images from Docker Hub and run them without additional precautions.

An image name substitutor converts a Docker image name, as may be specified in code, to an alternative name. This is intended to provide a way to override image names, for example to enforce pulling of images from a private registry.

Testcontainers for Go exposes an interface to perform this operation: ImageSubstitutor, and a No-operation implementation to be used as reference for custom implementations:

// ImageSubstitutor represents a way to substitute container image names
type ImageSubstitutor interface {
    // Description returns the name of the type and a short description of how it modifies the image.
    // Useful to be printed in logs
    Description() string
    Substitute(image string) (string, error)
}

type NoopImageSubstitutor struct{}

// Description returns a description of what is expected from this Substitutor,
// which is used in logs.
func (s NoopImageSubstitutor) Description() string {
    return "NoopImageSubstitutor (noop)"
}

// Substitute returns the original image, without any change
func (s NoopImageSubstitutor) Substitute(image string) (string, error) {
    return image, nil
}

Using the WithImageSubstitutors options, you could define your own substitutions to the container images. E.g. adding a prefix to the images so that they can be pulled from a Docker registry other than Docker Hub. This is the usual mechanism for using Docker image proxies, caches, etc.

WithImageMount

Since Docker v28, it's possible to mount an image to a container, passing the source image name, the relative subpath to mount in that image, and the mount point in the target container.

This option validates that the subpath is a relative path, raising an error otherwise.

newOllamaContainer, err := tcollama.Run(
    ctx,
    "ollama/ollama:0.5.12",
    testcontainers.WithImageMount(targetImage, "root/.ollama/models/", "/root/.ollama/models/"),
)

In the code above, which mounts the directory in which Ollama models are stored, the targetImage is the name of the image containing the models (an Ollama image where the models are already pulled).

Warning

Using this option fails the creation of the container if the underlying container runtime does not support the image mount feature.

WithEnv

If you need to either pass additional environment variables to a container or override them, you can use testcontainers.WithEnv for example:

ctr, err = mymodule.Run(ctx, "docker.io/myservice:1.2.3", testcontainers.WithEnv(map[string]string{"FOO": "BAR"}))

WithExposedPorts

If you need to expose additional ports from the container, you can use testcontainers.WithExposedPorts. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithExposedPorts("8080/tcp", "9090/tcp"))

WithEntrypoint

If you need to completely replace the container's entrypoint, you can use testcontainers.WithEntrypoint. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithEntrypoint("/bin/sh", "-c", "echo hello"))

WithEntrypointArgs

If you need to append commands to the container's entrypoint, you can use testcontainers.WithEntrypointArgs. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithEntrypointArgs("echo", "hello"))

WithCmd

If you need to completely replace the container's command, you can use testcontainers.WithCmd. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithCmd("echo", "hello"))

WithCmdArgs

If you need to append commands to the container's command, you can use testcontainers.WithCmdArgs. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithCmdArgs("echo", "hello"))

WithLabels

If you need to add Docker labels to the container, you can use testcontainers.WithLabels. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithLabels(map[string]string{
        "environment": "testing",
        "project":     "myapp",
    }))

WithFiles

If you need to copy files into the container, you can use testcontainers.WithFiles. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithFiles([]testcontainers.ContainerFile{
        {
            HostFilePath:      "/path/to/local/file.txt",
            ContainerFilePath: "/container/file.txt",
            FileMode:          0o644,
        },
    }))

This option allows you to copy files from the host into the container at creation time.

WithMounts

If you need to add volume mounts to the container, you can use testcontainers.WithMounts. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithMounts([]testcontainers.ContainerMount{
        {
            Source: testcontainers.GenericVolumeMountSource{Name: "appdata"},
            Target: "/app/data",
        },
    }))

WithTmpfs

If you need to add tmpfs mounts to the container, you can use testcontainers.WithTmpfs. For example:

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithTmpfs(map[string]string{
        "/tmp": "size=100m",
        "/run": "size=100m",
    }))

WithHostPortAccess

If you need to access a port that is already running in the host, you can use testcontainers.WithHostPortAccess for example:

ctr, err = mymodule.Run(ctx, "docker.io/myservice:1.2.3", testcontainers.WithHostPortAccess(8080))

To understand more about this feature, please read the Exposing host ports to the container documentation.

WithLogConsumers

If you need to consume the logs of the container, you can use testcontainers.WithLogConsumers with a valid log consumer. An example of a log consumer is the following:

type TestLogConsumer struct {
    Msgs []string
}

func (g *TestLogConsumer) Accept(l Log) {
    g.Msgs = append(g.Msgs, string(l.Content))
}

WithLogger

If you need to either pass logger to a container, you can use testcontainers.WithLogger.

Info

Consider calling this before other "With" functions as these may generate logs.

In this example we also use the testcontainers-go log.TestLogger, which writes to the passed in testing.TB using Logf. The result is that we capture all logging from the container into the test context meaning its hidden behind go test -v and is associated with the relevant test, providing the user with useful context instead of appearing out of band.

func TestHandler(t *testing.T) {
    logger := log.TestLogger(t)
    ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", testcontainers.WithLogger(logger))
    CleanupContainer(t, ctr)
    require.NoError(t, err)
    // Do something with container.
}

Please read the Following Container Logs documentation for more information about creating log consumers.

Wait Strategies

If you need to set a different wait strategy for the container, you can use testcontainers.WithWaitStrategy with a valid wait strategy.

Info

The default deadline for the wait strategy is 60 seconds.

At the same time, it's possible to set a wait strategy and a custom deadline with testcontainers.WithWaitStrategyAndDeadline.

Startup Commands

Testcontainers exposes the WithStartupCommand(e ...Executable) option to run arbitrary commands in the container right after it's started.

Info

To better understand how this feature works, please read the Create containers: Lifecycle Hooks documentation.

It also exports an Executable interface, defining the following methods:

  • AsCommand(), which returns a slice of strings to represent the command and positional arguments to be executed in the container;
  • Options(), which returns the slice of functional options with the Docker's ExecConfigs used to create the command in the container (the working directory, environment variables, user executing the command, etc) and the possible output format (Multiplexed).

You could use this feature to run a custom script, or to run a command that is not supported by the module right after the container is started.

Ready Commands

Testcontainers exposes the WithAfterReadyCommand(e ...Executable) option to run arbitrary commands in the container right after it's ready, which happens when the defined wait strategies have finished with success.

Info

To better understand how this feature works, please read the Create containers: Lifecycle Hooks documentation.

It leverages the Executable interface to represent the command and positional arguments to be executed in the container.

You could use this feature to run a custom script, or to run a command that is not supported by the module right after the container is ready.

Build from Dockerfile

Testcontainers exposes the testcontainers.WithDockerfile option to build a container from a Dockerfile. The functional option receives a testcontainers.FromDockerfile struct that is applied to the container request before starting the container. As a result, the container is built and started in one go.

df := testcontainers.FromDockerfile{
    Context:    ".",
    Dockerfile: "Dockerfile",
    Repo:       "testcontainers",
    Tag:        "latest",
    BuildArgs:  map[string]*string{"ARG1": nil, "ARG2": nil},
}   

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", testcontainers.WithDockerfile(df))

WithNetwork

By default, the container is started in the default Docker network. If you want to use an already existing Docker network you created in your code, you can use the network.WithNetwork(aliases []string, nw *testcontainers.DockerNetwork) option, which receives an alias as parameter and your network, attaching the container to it, and setting the network alias for that network.

In the case you need to retrieve the network name, you can simply read it from the struct's Name field. E.g. nw.Name.

Warning

This option is not checking whether the network exists or not. If you use a network that doesn't exist, the container will start in the default Docker network, as in the default behavior.

WithNewNetwork

If you want to attach your containers to a throw-away network, you can use the network.WithNewNetwork(ctx context.Context, aliases []string, opts ...network.NetworkCustomizer) option, which receives an alias as parameter, creating the new network with a random name, attaching the container to it, and setting the network alias for that network.

In the case you need to retrieve the network name, you can use the Networks(ctx) method of the Container interface, right after it's running, which returns a slice of strings with the names of the networks where the container is attached.

Docker type modifiers

If you need an advanced configuration for the container, you can leverage the following Docker type modifiers:

  • testcontainers.WithConfigModifier
  • testcontainers.WithHostConfigModifier
  • testcontainers.WithEndpointSettingsModifier

Please read the Create containers: Advanced Settings documentation for more information.

Customising the ContainerRequest

This option will merge the customized request into the module's own ContainerRequest.

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3",
    /* Other module options */
    testcontainers.CustomizeRequest(testcontainers.GenericContainerRequest{
        ContainerRequest: testcontainers.ContainerRequest{
            Cmd: []string{"-c", "log_statement=all"},
        },
    }),
)

The above example is updating the predefined command of the image, appending them to the module's command.

Info

This can't be used to replace the command, only to append options.

WithReuseByName

This option marks a container to be reused if it exists or create a new one if it doesn't. With the current implementation, the container name must be provided to identify the container to be reused.

ctr, err := mymodule.Run(ctx, "docker.io/myservice:1.2.3", 
    testcontainers.WithReuseByName("my-container-name"),
)

Warning

Reusing a container is experimental and the API is subject to change for a more robust implementation that is not based on container names.

Token

If you need to add token authentication, you can use the WithToken.

testcontainervault.WithToken(token),

Command

If you need to run a vault command in the container, you can use the WithInitCommand.

testcontainervault.WithInitCommand("secrets enable transit", "write -f transit/keys/my-key"),
testcontainervault.WithInitCommand("kv put secret/test1 foo1=bar1"),

Container Methods

HttpHostAddress

This method returns the http host address of Vault, in the http://<host>:<port> format.

hostAddress, err := vaultContainer.HttpHostAddress(ctx)