From b1b68876b26de304416cfdaa4168d2d526c8a4f3 Mon Sep 17 00:00:00 2001 From: Chris Blum Date: Thu, 12 Aug 2021 14:09:43 +0200 Subject: [PATCH] Delete complicated docker-compose Vault setup There is an easier way now --- docker/docker-compose.yml | 20 ------ docker/down.sh | 4 -- docker/up.sh | 5 -- docker/vault/Dockerfile | 34 ----------- docker/vault/config.sh | 20 ------ docker/vault/config/vault-config.json | 14 ----- docker/vault/policies/admin.hcl | 87 --------------------------- docker/vault/unseal.sh | 31 ---------- docker/vault/vault.json | 17 ------ 9 files changed, 232 deletions(-) delete mode 100644 docker/docker-compose.yml delete mode 100755 docker/down.sh delete mode 100755 docker/up.sh delete mode 100644 docker/vault/Dockerfile delete mode 100755 docker/vault/config.sh delete mode 100644 docker/vault/config/vault-config.json delete mode 100644 docker/vault/policies/admin.hcl delete mode 100755 docker/vault/unseal.sh delete mode 100644 docker/vault/vault.json diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index e2eb612..0000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,20 +0,0 @@ -version: '3.6' - -services: - - vault: - build: - context: ./vault - dockerfile: Dockerfile - ports: - - 8200:8200 - volumes: - - ./vault/config:/vault/config - - ./vault/policies:/vault/policies - - ./vault/data:/vault/data - - ./vault/logs:/vault/logs - environment: - - VAULT_ADDR=http://127.0.0.1:8200 - command: server -config=/vault/config/vault-config.json - cap_add: - - IPC_LOCK diff --git a/docker/down.sh b/docker/down.sh deleted file mode 100755 index 8e535ba..0000000 --- a/docker/down.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -docker-compose down -rm -fr ./vault/data ./vault/logs diff --git a/docker/up.sh b/docker/up.sh deleted file mode 100755 index b19e486..0000000 --- a/docker/up.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -docker-compose up -d --build -docker-compose exec vault /vault/unseal.sh -docker-compose exec vault /vault/config.sh diff --git a/docker/vault/Dockerfile b/docker/vault/Dockerfile deleted file mode 100644 index 3643bc9..0000000 --- a/docker/vault/Dockerfile +++ /dev/null @@ -1,34 +0,0 @@ -# base image -FROM alpine:3.7 - -# set vault version -ENV VAULT_VERSION 1.4.2 - -# create a new directory -RUN mkdir /vault - -# download dependencies -RUN apk --no-cache add \ - bash \ - ca-certificates \ - wget - -# download and set up vault -RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ - unzip /tmp/vault.zip -d /vault && \ - rm -f /tmp/vault.zip && \ - chmod +x /vault - -# update PATH -ENV PATH="PATH=$PATH:$PWD/vault" - -# add the config file -COPY ./config/vault-config.json /vault/config/vault-config.json -COPY ./unseal.sh /vault/unseal.sh -COPY ./config.sh /vault/config.sh - -# expose port 8200 -EXPOSE 8200 - -# run vault -ENTRYPOINT ["vault"] diff --git a/docker/vault/config.sh b/docker/vault/config.sh deleted file mode 100755 index 842d622..0000000 --- a/docker/vault/config.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -USER='test' -PASSWD='test' -ORG='sa2rn' -SITE='localhost' - -token=$(cat /vault/token) - -export $token - -echo "Creating policies" -vault policy write admin /vault/policies/admin.hcl -echo "Enable userpass" -vault auth enable userpass -echo "Creating username/pass" -vault write auth/userpass/users/$USER password=$PASSWD policies=admin -echo "Creating secrets" -vault secrets enable -path=secret/ kv-v2 -echo "Put example values" -vault kv put secret/vaultPass/$ORG/$SITE username=$USER password=$PASSWD diff --git a/docker/vault/config/vault-config.json b/docker/vault/config/vault-config.json deleted file mode 100644 index 069fa46..0000000 --- a/docker/vault/config/vault-config.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "backend": { - "file": { - "path": "vault/data" - } - }, - "listener": { - "tcp":{ - "address": "0.0.0.0:8200", - "tls_disable": 1 - } - }, - "ui": true -} diff --git a/docker/vault/policies/admin.hcl b/docker/vault/policies/admin.hcl deleted file mode 100644 index 79ab7cb..0000000 --- a/docker/vault/policies/admin.hcl +++ /dev/null @@ -1,87 +0,0 @@ -# Manage auth methods broadly across Vault -path "secret/metadata/vaultPass" { - capabilities = ["list", ] -} - -path "secret/vaultPass/*" { - capabilities = ["list", ] -} - - -path "auth/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} -path "k*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -path "Vault*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - - -# Create, update, and delete auth methods -path "sys/auth/*" -{ - capabilities = ["create", "update", "delete", "sudo"] -} - -# List auth methods -path "sys/auth" -{ - capabilities = ["read"] -} - -# List existing policies -path "sys/policies/acl" -{ - capabilities = ["list"] -} - -# Create and manage ACL policies -path "sys/policies/acl/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -# List, create, update, and delete key/value secrets -path "secret/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -path "vaultPass/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -path "secret/vaultPass/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -path "secret/kv/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -# Manage secrets engines -path "sys/mounts/*" -{ - capabilities = ["create", "read", "update", "delete", "list", "sudo"] -} - -# List existing secrets engines. -path "sys/mounts" -{ - capabilities = ["read"] -} - -# Read health checks -path "sys/health" -{ - capabilities = ["read", "sudo"] -} diff --git a/docker/vault/unseal.sh b/docker/vault/unseal.sh deleted file mode 100755 index deffc58..0000000 --- a/docker/vault/unseal.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash -set -e - -# init vault -echo "INFO: init Vault" -vault operator init | tee init.output >> /dev/null -IFS=$'\r\n' GLOBIGNORE='*' command eval \ - "UNSEAL_KEYS=($(cat init.output | grep '^Unseal' | rev | cut -d ' ' -f 1 | rev))" - -# export root token -export ROOT_TOKEN=$(cat init.output | grep '^Initial' | rev | cut -d ' ' -f 1 | rev) -export VAULT_TOKEN=$ROOT_TOKEN - -# unseal vault -# 0 - unsealed -# 1 - error -# 2 - sealed -echo "INFO: unseal Vault" -KEY_INDEX=0 -while [[ $(vault status > /dev/null)$? != 0 ]]; do - sleep 1s - vault operator unseal $(echo "${UNSEAL_KEYS[$KEY_INDEX]}") > /dev/null - KEY_INDEX=$(( $KEY_INDEX + 1 )) -done -vault status - -echo "INFO: Vault has been unsealed" -env | grep VAULT_TOKEN > /vault/token -env | grep VAULT - -exit 0; diff --git a/docker/vault/vault.json b/docker/vault/vault.json deleted file mode 100644 index c265952..0000000 --- a/docker/vault/vault.json +++ /dev/null @@ -1,17 +0,0 @@ - -{ - "listener": { - "tcp": { - "address": "0.0.0.0:8200", - "tls_disable": "true" - } - }, - "backend": { - "file": { - "path": "/vault/file" - } - }, - "default_lease_ttl": "168h", - "max_lease_ttl": "0h", - "api_addr": "http://0.0.0.0:8200" -}