vault: add dockerfile

author: Mike Crute <mike@crute.us> 2022-12-03 15:57:04 -0800
committer: Mike Crute <mike@crute.us> 2022-12-03 15:57:04 -0800
commit: 160e07cdf0fa44e92802761269402aa8a461b5a8 (patch)
tree: e450325a084efa149b0ef6f0d87e8b9d056da68a
parent: 0a279b1cbcea59d77233f383cd006342883d2165 (diff)
download: dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.bz2
dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.xz
dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.zip
4 files changed, 108 insertions, 0 deletions
diff --git a/vault/Dockerfile b/vault/Dockerfile
new file mode 100644
index 0000000..bf8f9e7
--- /dev/null
+++ b/vault/Dockerfile
@@ -0,0 +1,24 @@
+FROM alpine:latest
+LABEL maintainer="Mike Crute <mike@crute.us>"
+ARG vault_version
+RUN set -euxo pipefail; \
+    apk --no-cache add \
+        gettext \
+        openssl \
+    ; \
+    \
+    wget https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip; \
+    unzip vault_${vault_version}_linux_amd64.zip; \
+    rm vault_${vault_version}_linux_amd64.zip; \
+    mv vault /usr/sbin/vault;
+# This breaks the executable for some reason
+#    setcap cap_ipc_lock=+ep /usr/sbin/vault;
+ADD vault.hcl /vault.hcl.tpl
+ADD entrypoint.sh /entrypoint.sh
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "/usr/sbin/vault", "server", "-config=vault.hcl" ]
diff --git a/vault/Makefile b/vault/Makefile
new file mode 100644
index 0000000..fc633f6
--- /dev/null
+++ b/vault/Makefile
@@ -0,0 +1,23 @@
+VERSION=1.10.2
+IMAGE=docker.crute.me/vault:$(VERSION)
+LATEST=$(subst :$(VERSION),,$(IMAGE)):latest
+all:
+        docker build \
+                --no-cache \
+                --build-arg=vault_version=$(VERSION) \
+                -t $(IMAGE) .
+run:
+        docker run -ti \
+                -p 8200:8200 \
+                -p 8201:8201 \
+                -v ${PWD}/vault-data:/data \
+                -e VAULT_RAFT_NODE_ID="node1" \
+                -e CLUSTER_ADDRESS="172.16.0.191:8201" \
+                -e API_ADDRESS="172.16.0.191:8200" \
+                docker.crute.me/vault:latest
+publish:
+        docker push $(IMAGE)
+        docker tag $(IMAGE) $(LATEST)
+        docker push $(LATEST)
diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh
new file mode 100755
index 0000000..52b2689
--- /dev/null
+++ b/vault/entrypoint.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+if [ -z "$API_ADDRESS" ]; then
+        echo "Environment variable API_ADDRESS must be specified as addr:port"
+        exit 1
+fi
+if [ -z "$CLUSTER_ADDRESS" ]; then
+        echo "Environment variable CLUSTER_ADDRESS must be specified as addr:port"
+        exit 1
+fi
+if [ -z "$VAULT_RAFT_NODE_ID" ]; then
+        echo "Environment variable VAULT_RAFT_NODE_ID must be specified"
+        exit 1
+fi
+if [ -z "$ENTRYPOINT_VAULT_HOSTNAME" ]; then
+        echo "Environment variable ENTRYPOINT_VAULT_HOSTNAME must be specified"
+        exit 1
+fi
+#openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \
+#       -keyout /private_key.pem -out /certificate.pem \
+#       -subj "/C=US/L=Seattle/O=Pomona Consulting LLC/CN=${ENTRYPOINT_VAULT_HOSTNAME}"
+envsubst < /vault.hcl.tpl > /vault.hcl
+# TODO: Fix SAN
+# TODO: Issuer has host CN
+# TODO: Subject can just be CN
+exec "$@"
diff --git a/vault/vault.hcl b/vault/vault.hcl
new file mode 100644
index 0000000..ac7d771
--- /dev/null
+++ b/vault/vault.hcl
@@ -0,0 +1,26 @@
+ui = true
+storage "raft" {
+    path = "/data"
+}
+listener "tcp" {
+    address = "[::]:8200"
+    cluster_address = "[::]:8201"
+    tls_cert_file = "/data/ssl/letsencrypt_vault_sea4_crute_me.pem"
+    tls_key_file = "/data/ssl/letsencrypt_vault_sea4_crute_me_key.pem"
+    telemetry {
+        unauthenticated_metrics_access = true
+    }
+}
+telemetry {
+    disable_hostname = true
+}
+disable_mlock = true
+api_addr = "https://${API_ADDRESS}"
+cluster_addr = "https://${CLUSTER_ADDRESS}"
author	Mike Crute <mike@crute.us>	2022-12-03 15:57:04 -0800
committer	Mike Crute <mike@crute.us>	2022-12-03 15:57:04 -0800
commit	160e07cdf0fa44e92802761269402aa8a461b5a8 (patch)
tree	e450325a084efa149b0ef6f0d87e8b9d056da68a
parent	0a279b1cbcea59d77233f383cd006342883d2165 (diff)
download	dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.bz2 dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.tar.xz dockerfiles-160e07cdf0fa44e92802761269402aa8a461b5a8.zip

diff --git a/vault/Dockerfile b/vault/Dockerfile new file mode 100644 index 0000000..bf8f9e7 --- /dev/null +++ b/vault/Dockerfile
@@ -0,0 +1,24 @@
	1	FROM alpine:latest
	2	LABEL maintainer="Mike Crute <mike@crute.us>"
	3
	4	ARG vault_version
	5
	6	RUN set -euxo pipefail; \
	7	apk --no-cache add \
	8	gettext \
	9	openssl \
	10	; \
	11	\
	12	wget https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip; \
	13	unzip vault_${vault_version}_linux_amd64.zip; \
	14	rm vault_${vault_version}_linux_amd64.zip; \
	15	mv vault /usr/sbin/vault;
	16
	17	# This breaks the executable for some reason
	18	# setcap cap_ipc_lock=+ep /usr/sbin/vault;
	19
	20	ADD vault.hcl /vault.hcl.tpl
	21	ADD entrypoint.sh /entrypoint.sh
	22
	23	ENTRYPOINT [ "/entrypoint.sh" ]
	24	CMD [ "/usr/sbin/vault", "server", "-config=vault.hcl" ]


diff --git a/vault/Makefile b/vault/Makefile new file mode 100644 index 0000000..fc633f6 --- /dev/null +++ b/vault/Makefile
@@ -0,0 +1,23 @@
	1	VERSION=1.10.2
	2	IMAGE=docker.crute.me/vault:$(VERSION)
	3	LATEST=$(subst :$(VERSION),,$(IMAGE)):latest
	4
	5	all:
	6	docker build \
	7	--no-cache \
	8	--build-arg=vault_version=$(VERSION) \
	9	-t $(IMAGE) .
	10	run:
	11	docker run -ti \
	12	-p 8200:8200 \
	13	-p 8201:8201 \
	14	-v ${PWD}/vault-data:/data \
	15	-e VAULT_RAFT_NODE_ID="node1" \
	16	-e CLUSTER_ADDRESS="172.16.0.191:8201" \
	17	-e API_ADDRESS="172.16.0.191:8200" \
	18	docker.crute.me/vault:latest
	19
	20	publish:
	21	docker push $(IMAGE)
	22	docker tag $(IMAGE) $(LATEST)
	23	docker push $(LATEST)


diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh new file mode 100755 index 0000000..52b2689 --- /dev/null +++ b/vault/entrypoint.sh
@@ -0,0 +1,35 @@
	1	#!/bin/sh
	2
	3	set -e
	4
	5	if [ -z "$API_ADDRESS" ]; then
	6	echo "Environment variable API_ADDRESS must be specified as addr:port"
	7	exit 1
	8	fi
	9
	10	if [ -z "$CLUSTER_ADDRESS" ]; then
	11	echo "Environment variable CLUSTER_ADDRESS must be specified as addr:port"
	12	exit 1
	13	fi
	14
	15	if [ -z "$VAULT_RAFT_NODE_ID" ]; then
	16	echo "Environment variable VAULT_RAFT_NODE_ID must be specified"
	17	exit 1
	18	fi
	19
	20	if [ -z "$ENTRYPOINT_VAULT_HOSTNAME" ]; then
	21	echo "Environment variable ENTRYPOINT_VAULT_HOSTNAME must be specified"
	22	exit 1
	23	fi
	24
	25	#openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \
	26	# -keyout /private_key.pem -out /certificate.pem \
	27	# -subj "/C=US/L=Seattle/O=Pomona Consulting LLC/CN=${ENTRYPOINT_VAULT_HOSTNAME}"
	28
	29	envsubst < /vault.hcl.tpl > /vault.hcl
	30
	31	# TODO: Fix SAN
	32	# TODO: Issuer has host CN
	33	# TODO: Subject can just be CN
	34
	35	exec "$@"


diff --git a/vault/vault.hcl b/vault/vault.hcl new file mode 100644 index 0000000..ac7d771 --- /dev/null +++ b/vault/vault.hcl
@@ -0,0 +1,26 @@
	1	ui = true
	2
	3	storage "raft" {
	4	path = "/data"
	5	}
	6
	7	listener "tcp" {
	8	address = "[::]:8200"
	9	cluster_address = "[::]:8201"
	10
	11	tls_cert_file = "/data/ssl/letsencrypt_vault_sea4_crute_me.pem"
	12	tls_key_file = "/data/ssl/letsencrypt_vault_sea4_crute_me_key.pem"
	13
	14	telemetry {
	15	unauthenticated_metrics_access = true
	16	}
	17	}
	18
	19	telemetry {
	20	disable_hostname = true
	21	}
	22
	23	disable_mlock = true
	24
	25	api_addr = "https://${API_ADDRESS}"
	26	cluster_addr = "https://${CLUSTER_ADDRESS}"