-
Notifications
You must be signed in to change notification settings - Fork 18
/
Dockerfile.vault
102 lines (76 loc) · 3.07 KB
/
Dockerfile.vault
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
FROM golang:1.13.12 AS build
WORKDIR /go/src/github.com/hashicorp/vault
RUN \
curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - && \
echo 'deb http://deb.nodesource.com/node_8.x stretch main' > /etc/apt/sources.list.d/nodesource.list && \
apt-get update && apt-get install -y \
nodejs \
npm \
bzip2 \
zip \
xz-utils && \
npm install [email protected] -g
ENV VAULT_TAG v1.4.3
RUN git clone https://github.com/hashicorp/vault.git . && \
git checkout "${VAULT_TAG}" && \
make bootstrap
# use go mod
ENV GO111MODULE on
# build ui to have efficient docker layer caching
RUN make ember-dist static-assets
# build vault
RUN make bin XC_OSARCH=linux/amd64
COPY patches /tmp/patches
RUN git config --global user.email "[email protected]" && git config --global user.name "Christian Simon"
# patch UI
RUN \
git am /tmp/patches/0003-Implement-google-oauth2-in-the-UI.patch && \
git am /tmp/patches/0004-Disable-UI-auth-backends-apart-from-token-and-google.patch
# build UI
RUN \
make ember-dist static-assets
RUN git checkout go.mod helper/builtinplugins/registry.go
# built in plugin into vault
RUN git am /tmp/patches/0001-Integrate-Google-G-Suite-credentials-plugin.patch
RUN git am /tmp/patches/0002-Integrate-GPG-logical-plugin.patch
# rebuilt vault
RUN \
sed -i "s/VersionPrerelease =.*/VersionPrerelease = \"simonswine1\"/g" sdk/version/version_base.go && \
make bin XC_OSARCH=linux/amd64
FROM alpine:3.11
# Create a vault user and group first so the IDs get set the same way,
# even as the rest of this may change over time.
RUN addgroup vault && \
adduser -S -G vault vault
# Install required packages
RUN apk add --no-cache ca-certificates libcap su-exec dumb-init
# Copy build over
COPY --from=build /go/src/github.com/hashicorp/vault/bin/vault /bin/vault
# /vault/logs is made available to use as a location to store audit logs, if
# desired; /vault/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /vault/config as
# the configuration directory so you can add additional config files in that
# location.
RUN mkdir -p /vault/logs && \
mkdir -p /vault/file && \
mkdir -p /vault/config && \
chown -R vault:vault /vault
# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/logs
# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/file
# 8200/tcp is the primary interface that applications use to interact with
# Vault.
EXPOSE 8200
# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by Vault sub-processes.
#
# For production derivatives of this container, you shoud add the IPC_LOCK
# capability so that Vault can mlock memory.
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]