opsforgeio/opsforge

View on GitHub
composer/vault.yaml

Summary

Maintainability
Test Coverage
  ## VAULT CONTAINER

  # SETUP AGENT
  vault_primer:
    restart: "no"
    image: opsforge/openssl
    volumes:
      - ./vault_certs:/certs
    entrypoint: /bin/bash
    command:
      - -c
      - |
        if [ ! -f /certs/vault.key ] ; then
          cat <<EOF> /certs/vault.req.conf
        [req]
        distinguished_name = req_distinguished_name
        x509_extensions = v3_req
        prompt = no
        [req_distinguished_name]
        C = GB
        ST = Scotland
        L = Edinburgh
        O = MyCompany
        OU = OPS
        CN = localhost
        [v3_req]
        keyUsage = keyEncipherment, dataEncipherment
        extendedKeyUsage = serverAuth
        subjectAltName = @alt_names
        [alt_names]
        DNS.1 = localhost
        EOF

          openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
            -keyout /certs/vault.key \
            -out /certs/vault.pem \
            -config /certs/vault.req.conf \
            -extensions 'v3_req'
        fi
  # SERVER
  vault:
    depends_on:
      - vault_primer
    cap_add:
      - IPC_LOCK
    image: vault
    ports:
      - 8443:8443
    command:
      - /bin/sh
      - -c
      - |
        while [ ! -f /certs/vault.key ] ; do
          echo "Waiting for sidecar to generate certs..."
          sleep 10
        done

        if [ ! -f /vault/file/unseal_key ] ; then
          until [ -f /vault/file/unseal_key ] ; do
            echo "unseal key not yet found..."
            docker-entrypoint.sh server -dev | grep -i 'unseal key:' > /vault/file/unseal_key &
            sleep 20
            sed -i 's/Unseal Key: //' /vault/file/unseal_key
          done
        else
          docker-entrypoint.sh server &
          pid=$$!
          sleep 10
          export VAULT_ADDR='https://localhost:8443'
          export VAULT_SKIP_VERIFY="true"
          vault operator unseal $$(cat /vault/file/unseal_key)

          trap "kill $$pid 2> /dev/null" EXIT
          while kill -0 $$pid 2> /dev/null; do
            sleep 5
          done
          trap - EXIT
        fi
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: 'ChangeThisVaultToken'
      VAULT_LOCAL_CONFIG: |
        listener "tcp" {
          address       = "0.0.0.0:8443"
          tls_cert_file = "/certs/vault.pem"
          tls_key_file  = "/certs/vault.key"
        }

        ui = true

        max_lease_ttl = "720h"
        default_lease_ttl = "168h"

        #storage "file" {
        #  path = "/vault/file"
        #}
        storage "consul" {
          address = "unix:///vault/file/consul.sock"
        }
    volumes:
      - ./vault_logs:/vault/logs
      - ./vault_data:/vault/file
      - ./vault_certs:/certs
    restart: unless-stopped
    networks:
      - consul
  ## CONSUL SIDEKICK
  consul_vault:
    restart: unless-stopped
    volumes:
      - ./vault_data:/socket_share
    command:
      - /bin/sh
      - -c
      - |
        cat <<EOF> /etc/consul.json
        {
          "addresses": {
             "http": "unix:///socket_share/consul.sock"
          },
          "unix_sockets": {
             "user": "1",
             "group": "1",
             "mode": "0777"
          },
          "services": [
            {
              "id": "vault_api_1",
              "name": "vault_ui_and_api",
              "tags": ["Secret Management"],
              "address": "https://localhost",
              "meta": {
                "meta": "Access the Vault UI and API"
              },
              "port": 8443,
              "checks": [
                {
                  "id": "vault_tcp_check_1",
                  "name": "vault tcp check",
                  "tcp": "vault:8443",
                  "interval": "10s",
                  "timeout": "3s"
                }
              ],
              "weights": {
                "passing": 1,
                "warning": 1
              }
            }
          ]
        }
        EOF
        consul_if=$$(getent hosts consul | cut -d ' ' -f 1 | cut -d '.' -f1-2 | cut -d ' ' -f3)
        consul_addr=$$(ip addr | grep $$consul_if | grep inet | sed 's/.*inet.//' | sed 's/\ brd.*//' | sed 's/\/.*//')
        consul agent -retry-join "consul" -bind=$$consul_addr -data-dir=/etc/consul/data -datacenter=opsforge -node=vault -config-file=/etc/consul.json
    image: consul
    networks:
      - consul