From 773772a141a0327c6fd834426bd06c016382d666 Mon Sep 17 00:00:00 2001 From: GuptaNavdeep1983 Date: Mon, 21 Feb 2022 16:58:03 -0500 Subject: [PATCH 1/5] Update Dockerfile --- Dockerfile | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 34c60c4..1f854cd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,13 +3,26 @@ ENV VAULT_VERSION 1.8.4 WORKDIR /vault -RUN apk add --no-cache git openssh gcc musl-dev curl gnupg unzip - +RUN apk add --no-cache git openssh gcc musl-dev curl gnupg unzip go make bash +# Configure Go +ENV GOROOT /usr/lib/go +ENV GOPATH /go +ENV PATH /go/bin:$PATH # Download Vault and verify checksums (https://www.hashicorp.com/security.html) COPY resources/hashicorp.asc /tmp/ ADD run.sh /vault +RUN go install github.com/mitchellh/gox@latest && \ + git clone https://github.com/hashicorp/vault-plugin-auth-cf.git && \ + cd vault-plugin-auth-cf && \ + make test && \ + make dev && \ + make tools + +RUN sha256sum /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf > checksum + # Fix exec permissions issue that come up due to the way source controls deal with executable files. RUN chmod a+x /vault/run.sh + RUN gpg --import /tmp/hashicorp.asc RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS @@ -27,7 +40,9 @@ RUN apk add --no-cache jq ca-certificates curl postgresql-client WORKDIR /app COPY --from=builder /vault/vault /app +COPY --from=builder /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf /app/plugins/ COPY --from=builder /vault/run.sh /app +COPY --from=builder /vault/checksum /app/checksum COPY resources/vault-schema.sql /app EXPOSE 8080 CMD ["/app/run.sh"] From 2f02b4c9dc208b3ac1d256f49f82a5fdd61f3b6d Mon Sep 17 00:00:00 2001 From: GuptaNavdeep1983 Date: Mon, 21 Feb 2022 16:58:26 -0500 Subject: [PATCH 2/5] Update run.sh --- run.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/run.sh b/run.sh index 902f287..c5b07f0 100644 --- a/run.sh +++ b/run.sh @@ -12,6 +12,7 @@ listener "tcp" { address = "0.0.0.0:8080" tls_disable = 1 } +plugin_directory = "/app/plugins" EOF @@ -79,7 +80,7 @@ echo "detected $SERVICE storage" if [ "x$VAULT_API_ADDR" == "x" ]; then echo "VAULT_API_ADDR is now required. Set it to the public route of your Vault deployment" - eixt 1 + exit 1 fi echo "#### Starting Vault..." From b61f038ab47edf668c437cf40ab018402f3a28e6 Mon Sep 17 00:00:00 2001 From: GuptaNavdeep1983 Date: Mon, 21 Feb 2022 19:10:48 -0500 Subject: [PATCH 3/5] Update README.md --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index ac63841..3483cbb 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,25 @@ refresh_interval 768h0m0s value world ``` +## Enable CF Auth Method + +This vault instance allows to use CF as the auth provider which is completely token free authentication. For more information about CF as auth provider, please refer to the following plugin repository. +https://github.com/hashicorp/vault-plugin-auth-cf + + + +Use the docker container to find the checksum of the plugin in file /app/checkum and use in the below command to register the plugin with vault +``` +vault plugin register \ + -sha256=plugin_checksum \ + auth vault-plugin-auth-cf +``` +Followed by this command to enable this auth method +``` +vault auth enable vault-plugin-auth-cf +``` +As mentioned under the readme of the plugin repo, https://github.com/hashicorp/vault-plugin-auth-cf#sample-usage, continue to configure the vault with the additional configuration for the plugin and setting up policies around it. + ## Unseal when restarting Because Vault seals when it restarts, you need to unseal automatically in order to keep Vault available in CF environment. From 79107faf3c88efe9a34bd6beffb0d0d5c807daeb Mon Sep 17 00:00:00 2001 From: GuptaNavdeep1983 Date: Tue, 22 Feb 2022 09:44:28 -0500 Subject: [PATCH 4/5] Update Dockerfile --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 1f854cd..10abbc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,8 @@ ENV PATH /go/bin:$PATH # Download Vault and verify checksums (https://www.hashicorp.com/security.html) COPY resources/hashicorp.asc /tmp/ ADD run.sh /vault + +# Build vault-auth-cf-plugin RUN go install github.com/mitchellh/gox@latest && \ git clone https://github.com/hashicorp/vault-plugin-auth-cf.git && \ cd vault-plugin-auth-cf && \ @@ -18,6 +20,7 @@ RUN go install github.com/mitchellh/gox@latest && \ make dev && \ make tools +# Keep the checksum in a file to be used for plugin registration RUN sha256sum /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf > checksum # Fix exec permissions issue that come up due to the way source controls deal with executable files. From e209c34eec8be871fa6ba1628a4444d1a2e0c383 Mon Sep 17 00:00:00 2001 From: GuptaNavdeep1983 Date: Tue, 22 Feb 2022 12:13:12 -0500 Subject: [PATCH 5/5] Update Dockerfile --- Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 10abbc1..0a3bb0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,11 @@ -FROM alpine:latest AS builder +FROM golang:1.17.7 AS builder ENV VAULT_VERSION 1.8.4 WORKDIR /vault -RUN apk add --no-cache git openssh gcc musl-dev curl gnupg unzip go make bash -# Configure Go -ENV GOROOT /usr/lib/go -ENV GOPATH /go -ENV PATH /go/bin:$PATH +RUN apt update && \ + apt install -y git openssh-server gcc musl-dev curl gnupg unzip + # Download Vault and verify checksums (https://www.hashicorp.com/security.html) COPY resources/hashicorp.asc /tmp/ ADD run.sh /vault