diff options
author | Mike Crute <mike@crute.us> | 2022-12-03 15:57:04 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-12-03 15:57:04 -0800 |
commit | 160e07cdf0fa44e92802761269402aa8a461b5a8 (patch) | |
tree | e450325a084efa149b0ef6f0d87e8b9d056da68a | |
parent | 0a279b1cbcea59d77233f383cd006342883d2165 (diff) | |
download | dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.bz2 dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.xz dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.zip |
vault: add dockerfile
-rw-r--r-- | vault/Dockerfile | 24 | ||||
-rw-r--r-- | vault/Makefile | 23 | ||||
-rwxr-xr-x | vault/entrypoint.sh | 35 | ||||
-rw-r--r-- | vault/vault.hcl | 26 |
4 files changed, 108 insertions, 0 deletions
diff --git a/vault/Dockerfile b/vault/Dockerfile new file mode 100644 index 0000000..bf8f9e7 --- /dev/null +++ b/vault/Dockerfile | |||
@@ -0,0 +1,24 @@ | |||
1 | FROM alpine:latest | ||
2 | LABEL maintainer="Mike Crute <mike@crute.us>" | ||
3 | |||
4 | ARG vault_version | ||
5 | |||
6 | RUN set -euxo pipefail; \ | ||
7 | apk --no-cache add \ | ||
8 | gettext \ | ||
9 | openssl \ | ||
10 | ; \ | ||
11 | \ | ||
12 | wget https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip; \ | ||
13 | unzip vault_${vault_version}_linux_amd64.zip; \ | ||
14 | rm vault_${vault_version}_linux_amd64.zip; \ | ||
15 | mv vault /usr/sbin/vault; | ||
16 | |||
17 | # This breaks the executable for some reason | ||
18 | # setcap cap_ipc_lock=+ep /usr/sbin/vault; | ||
19 | |||
20 | ADD vault.hcl /vault.hcl.tpl | ||
21 | ADD entrypoint.sh /entrypoint.sh | ||
22 | |||
23 | ENTRYPOINT [ "/entrypoint.sh" ] | ||
24 | CMD [ "/usr/sbin/vault", "server", "-config=vault.hcl" ] | ||
diff --git a/vault/Makefile b/vault/Makefile new file mode 100644 index 0000000..fc633f6 --- /dev/null +++ b/vault/Makefile | |||
@@ -0,0 +1,23 @@ | |||
1 | VERSION=1.10.2 | ||
2 | IMAGE=docker.crute.me/vault:$(VERSION) | ||
3 | LATEST=$(subst :$(VERSION),,$(IMAGE)):latest | ||
4 | |||
5 | all: | ||
6 | docker build \ | ||
7 | --no-cache \ | ||
8 | --build-arg=vault_version=$(VERSION) \ | ||
9 | -t $(IMAGE) . | ||
10 | run: | ||
11 | docker run -ti \ | ||
12 | -p 8200:8200 \ | ||
13 | -p 8201:8201 \ | ||
14 | -v ${PWD}/vault-data:/data \ | ||
15 | -e VAULT_RAFT_NODE_ID="node1" \ | ||
16 | -e CLUSTER_ADDRESS="172.16.0.191:8201" \ | ||
17 | -e API_ADDRESS="172.16.0.191:8200" \ | ||
18 | docker.crute.me/vault:latest | ||
19 | |||
20 | publish: | ||
21 | docker push $(IMAGE) | ||
22 | docker tag $(IMAGE) $(LATEST) | ||
23 | docker push $(LATEST) | ||
diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh new file mode 100755 index 0000000..52b2689 --- /dev/null +++ b/vault/entrypoint.sh | |||
@@ -0,0 +1,35 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | set -e | ||
4 | |||
5 | if [ -z "$API_ADDRESS" ]; then | ||
6 | echo "Environment variable API_ADDRESS must be specified as addr:port" | ||
7 | exit 1 | ||
8 | fi | ||
9 | |||
10 | if [ -z "$CLUSTER_ADDRESS" ]; then | ||
11 | echo "Environment variable CLUSTER_ADDRESS must be specified as addr:port" | ||
12 | exit 1 | ||
13 | fi | ||
14 | |||
15 | if [ -z "$VAULT_RAFT_NODE_ID" ]; then | ||
16 | echo "Environment variable VAULT_RAFT_NODE_ID must be specified" | ||
17 | exit 1 | ||
18 | fi | ||
19 | |||
20 | if [ -z "$ENTRYPOINT_VAULT_HOSTNAME" ]; then | ||
21 | echo "Environment variable ENTRYPOINT_VAULT_HOSTNAME must be specified" | ||
22 | exit 1 | ||
23 | fi | ||
24 | |||
25 | #openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \ | ||
26 | # -keyout /private_key.pem -out /certificate.pem \ | ||
27 | # -subj "/C=US/L=Seattle/O=Pomona Consulting LLC/CN=${ENTRYPOINT_VAULT_HOSTNAME}" | ||
28 | |||
29 | envsubst < /vault.hcl.tpl > /vault.hcl | ||
30 | |||
31 | # TODO: Fix SAN | ||
32 | # TODO: Issuer has host CN | ||
33 | # TODO: Subject can just be CN | ||
34 | |||
35 | exec "$@" | ||
diff --git a/vault/vault.hcl b/vault/vault.hcl new file mode 100644 index 0000000..ac7d771 --- /dev/null +++ b/vault/vault.hcl | |||
@@ -0,0 +1,26 @@ | |||
1 | ui = true | ||
2 | |||
3 | storage "raft" { | ||
4 | path = "/data" | ||
5 | } | ||
6 | |||
7 | listener "tcp" { | ||
8 | address = "[::]:8200" | ||
9 | cluster_address = "[::]:8201" | ||
10 | |||
11 | tls_cert_file = "/data/ssl/letsencrypt_vault_sea4_crute_me.pem" | ||
12 | tls_key_file = "/data/ssl/letsencrypt_vault_sea4_crute_me_key.pem" | ||
13 | |||
14 | telemetry { | ||
15 | unauthenticated_metrics_access = true | ||
16 | } | ||
17 | } | ||
18 | |||
19 | telemetry { | ||
20 | disable_hostname = true | ||
21 | } | ||
22 | |||
23 | disable_mlock = true | ||
24 | |||
25 | api_addr = "https://${API_ADDRESS}" | ||
26 | cluster_addr = "https://${CLUSTER_ADDRESS}" | ||