vault-enterprise-fips 1.10.5 initial commit

Dockerfile

+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
+ARG BASE_TAG=8.6
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+COPY vault.zip /tmp
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+RUN dnf update -y && \
+  dnf install -y unzip && \
+  dnf clean all && \
+  unzip -d /bin /tmp/vault.zip && \
+  chmod +x /bin/vault && \
+  chmod 755 /usr/local/bin/docker-entrypoint.sh && \
+  rm /tmp/vault.zip && \
+  groupadd -g 1001 vault && \
+  useradd -r -u 1001 -m -s /sbin/nologin -g vault vault && \
+  mkdir -p /vault/logs && \
+  mkdir -p /vault/file && \
+  mkdir -p /vault/config && \
+  chown -R vault:vault /vault
+
+EXPOSE 8200
+USER vault
+
+HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \
+  CMD curl -f http://localhost:8200/v1/sys/health?standbyok=true || exit 1
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["vault"]
+
+

LICENSE

+This HashiCorp enterprise software is for use only by customers who have a valid and active license agreement with HashiCorp or an authorized HashiCorp reseller. If you do not have a valid license to use this software, you may not download or otherwise use it. All use of this software is subject to the terms and conditions of your license agreement, and all other rights are expressly reserved.

README.md

-# <application name>
+# vault-enterprise FIPS
 
-Project template for all Iron Bank container repositories.
+Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
\ No newline at end of file
+
+https://www.hashicorp.com/blog/hashicorp-vault-1-10-achieves-fips-140-2-compliance
+
+### Vault Documentation
+
+- [Vault Official Site](https://www.vaultproject.io/)
+- [Hashicorp's Vault Courses](https://learn.hashicorp.com/vault)
+
+#### Installation
+
+- Installation - <https://www.vaultproject.io/docs/install/index.html>
+- Commands - <https://www.vaultproject.io/docs/commands/index.html>
+- Configuration - <https://www.vaultproject.io/docs/configuration/index.html>
\ No newline at end of file

hardening_manifest.yaml

+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "hashicorp/vault-enterprise-fips"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+  - "1.10.5"
+  - "1.10"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.6"
+
+# Docker image labels
+labels:
+  # Name of the image
+  org.opencontainers.image.title: "vault-enterprise"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Vault Enterprise"
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "MPL-2.0"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://www.vaultproject.io/"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "HashiCorp"
+  # Authoritative version of the software
+  org.opencontainers.image.version: "1.10.5+ent.fips1402"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "vault,secrets,golang,kubernetes"
+  # This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  # Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "vault"
+
+# List of resources to make available to the offline build context
+resources:
+  - url: "https://releases.hashicorp.com/vault/1.10.5+ent.fips1402/vault_1.10.5+ent.fip1402_linux_amd64.zip"
+    filename: "vault.zip" # [required field] desired staging name for the build context
+    validation:
+      type: "sha256" # supported: sha256, sha512
+      value: "b81532ee93c4d5818236052292965f4a06214e53e7a61b89380e03befb5d320b" # must be lowercase
+
+# List of project maintainers
+maintainers:
+  - email: "ironbank-notifications@hashicorp.com"
+    # The name of the current container owner
+    name: "Engineering Services"
+    # The gitlab username of the current container owner
+    username: "hc-engserv"

renovate.json

+{
+    "assignees": [
+      "@sean.melissari"
+    ],
+    "baseBranches": [
+      "development"
+    ],
+    "regexManagers": [
+      {
+        "fileMatch": [
+          "^Dockerfile$"
+        ],
+        "matchStrings": [
+          "version=\"(?<currentValue>.*?)\""
+        ],
+        "depNameTemplate": "vault-enterprise",
+        "datasourceTemplate": "docker"
+      },
+      {
+        "fileMatch": [
+          "^hardening_manifest.yaml$"
+        ],
+        "matchStrings": [
+          "org\\.opencontainers\\.image\\.version:\\s+(\\s|\"|')?(?<currentValue>.+?)(\\s|\"|'|$)"
+        ],
+        "depNameTemplate": "vault-enterprise",
+        "datasourceTemplate": "docker"
+      },
+      {
+        "fileMatch": [
+          "^hardening_manifest.yaml$"
+        ],
+        "matchStrings": [
+          "tags:\\s+-(\\s|\"|')+(?<currentValue>.+?)(\\s|\"|'|$)+"
+        ],
+        "depNameTemplate": "vault-enterprise",
+        "datasourceTemplate": "docker"
+      }
+    ]
+  }
+  
\ No newline at end of file

scripts/docker-entrypoint.sh

+#!/bin/bash
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+
+# Prevent core dumps
+ulimit -c 0
+
+# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface
+# name instead of an IP address. The interface name is specified using
+# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
+# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
+# number with the IP of the named interface.
+export VAULT_ADDR=http://127.0.0.1:8200
+
+get_addr () {
+    local if_name=$1
+    local uri_template=$2
+    ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+      ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
+      print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
+      exit}'
+}
+
+if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
+    export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+    echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
+fi
+if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
+    export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+    echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
+fi
+
+# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional
+# config files in there if you use this image as a base, or use
+# VAULT_LOCAL_CONFIG below.
+VAULT_CONFIG_DIR=/vault/config
+
+# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some
+# Vault configuration JSON without having to bind any volumes.
+if [ -n "$VAULT_LOCAL_CONFIG" ]; then
+    echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json"
+fi
+
+# If the user is trying to run Vault directly with some arguments, then
+# pass them to Vault.
+if [ "${1:0:1}" = '-' ]; then
+    set -- vault "$@"
+fi
+
+# Look for Vault subcommands.
+if [ "$1" = 'server' ]; then
+    shift
+    set -- vault server \
+        -config="$VAULT_CONFIG_DIR" \
+        -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
+        -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
+        "$@"
+elif [ "$1" = 'version' ]; then
+    # This needs a special case because there's no help output.
+    set -- vault "$@"
+elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
+    # We can't use the return code to check for the existence of a subcommand, so
+    # we have to use grep to look for a pattern in the help output.
+    set -- vault "$@"
+fi
+
+# If we are running Vault, make sure it executes as the proper user.
+if [ "$1" = 'vault' ]; then
+    if [ -z "$SKIP_CHOWN" ]; then
+        # If the config dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+        fi
+
+        # If the logs dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/logs
+        fi
+
+        # If the file dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/file
+        fi
+    fi
+
+    # if [ -z "$SKIP_SETCAP" ]; then
+    #     # Allow mlock to avoid swapping Vault memory to disk
+    #     setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+    #     # In the case vault has been started in a container without IPC_LOCK privileges
+    #     if ! vault -version 1>/dev/null 2>/dev/null; then
+    #         >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+    #         setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+    #     fi
+    # fi
+
+    # if [ "$(id -u)" = '0' ]; then
+    #   set -- su-exec vault "$@"
+    # fi
+fi
+
+exec "$@"
\ No newline at end of file