Merge pull request #8 from GuptaNavdeep1983/master

Feat: Added the auth-cf-plugin in the setup.
philips-software · Feb 22, 2022 · 5d1f1d7 · 5d1f1d7
2 parents 03f352a + e209c34
commit 5d1f1d7
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,29 @@
-FROM alpine:latest AS builder
+FROM golang:1.17.7 AS builder
 ENV VAULT_VERSION 1.8.4
 
 
 WORKDIR /vault
-RUN apk add --no-cache git openssh gcc musl-dev curl gnupg unzip
+RUN apt update && \
+    apt install -y git openssh-server gcc musl-dev curl gnupg unzip
 
 # Download Vault and verify checksums (https://www.hashicorp.com/security.html)
 COPY resources/hashicorp.asc /tmp/
 ADD run.sh /vault
+
+# Build vault-auth-cf-plugin
+RUN go install github.com/mitchellh/gox@latest && \
+    git clone https://github.com/hashicorp/vault-plugin-auth-cf.git && \
+    cd vault-plugin-auth-cf && \
+    make test && \
+    make dev && \
+    make tools
+
+# Keep the checksum in a file to be used for plugin registration
+RUN sha256sum /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf > checksum
+
 # Fix exec permissions issue that come up due to the way source controls deal with executable files.
 RUN chmod a+x /vault/run.sh
+
 RUN gpg --import /tmp/hashicorp.asc
 RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip 
 RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS 
@@ -27,7 +41,9 @@ RUN apk add --no-cache jq ca-certificates curl postgresql-client
 
 WORKDIR /app
 COPY --from=builder /vault/vault /app
+COPY --from=builder /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf /app/plugins/
 COPY --from=builder /vault/run.sh /app
+COPY --from=builder /vault/checksum /app/checksum
 COPY resources/vault-schema.sql /app
 EXPOSE 8080
 CMD ["/app/run.sh"]
diff --git a/README.md b/README.md
@@ -162,6 +162,25 @@ refresh_interval	768h0m0s
 value           	world
 ```
 
+## Enable CF Auth Method
+
+This vault instance allows to use CF as the auth provider which is completely token free authentication. For more information about CF as auth provider, please refer to the following plugin repository. 
+https://github.com/hashicorp/vault-plugin-auth-cf
+
+
+
+Use the docker container to find the checksum of the plugin in file /app/checkum and use in the below command to register the plugin with vault
+```
+vault plugin register \
+    -sha256=plugin_checksum \
+    auth vault-plugin-auth-cf
+```
+Followed by this command to enable this auth method
+```
+vault auth enable vault-plugin-auth-cf
+```
+As mentioned under the readme of the plugin repo, https://github.com/hashicorp/vault-plugin-auth-cf#sample-usage, continue to configure the vault with the additional configuration for the plugin and setting up policies around it. 
+
 ## Unseal when restarting
 
 Because Vault seals when it restarts, you need to unseal automatically in order to keep Vault available in CF environment.

diff --git a/run.sh b/run.sh
@@ -12,6 +12,7 @@ listener "tcp" {
  address = "0.0.0.0:8080"
  tls_disable = 1
 }
+plugin_directory = "/app/plugins"
 
 EOF
 
@@ -79,7 +80,7 @@ echo "detected $SERVICE storage"
 
 if [ "x$VAULT_API_ADDR" == "x" ]; then
    echo "VAULT_API_ADDR is now required. Set it to the public route of your Vault deployment"
-   eixt 1
+   exit 1
 fi
 
 echo "#### Starting Vault..."