diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md
index b9fd83b3b8ee6fd3a945970513d173b48bc3621b..d62d3fbb0f2714099be57f7db590619cef3bcb2c 100644
--- a/.gitlab/issue_templates/Access Request.md
+++ b/.gitlab/issue_templates/Access Request.md
@@ -2,18 +2,22 @@
The following individuals are requesting access to this project (one per line):
(Tag all individuals here)
+
- Tag here
The access level should be:
- [ ] Developer access
- [ ] Remove access
+Does the member need access to the VAT? (https://vat.dso.mil/vat)
+- [ ] Yes
+- [ ] No
-## Definition of Done
-- [ ] All accounts have been provided the necessary accesses
-
-
-
+## Iron Bank Tasks
+- [ ] All accounts have been provided the necessary accesses to the projects
+- [ ] All accounts have been provided the necessary accesses to the VAT (optional)
-/label ~"Access Request" ~"To Do" ~"Owner::Ironbank"
+/label ~"Access Request::Repo" ~"CSO::To Do" ~"Owner::Ironbank"
+/cc @ironbank-notifications/onboarding
+/assign @ironbank-notifications/onboarding
\ No newline at end of file
diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md
index 4a0aa7010f2881fdc4c87fae7f1f609d95abac75..0c90d41fdd197f6717dbb3a18f926c8e4f701345 100644
--- a/.gitlab/issue_templates/Application - Initial.md
+++ b/.gitlab/issue_templates/Application - Initial.md
@@ -9,7 +9,7 @@ Contributor:
- [ ] Ensure container builds successfully in the Iron Bank pipeline
- [ ] Provide justifications for findings in the [VAT](https://vat.dso.mil) ([docs](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/vat.md))
- [ ] Open a Merge Request from your branch to `development`
-- [ ] Apply the ~"Approval" label to this issue and wait for feedback
+- [ ] Apply the ~"Hardening::Review" label to this issue and wait for feedback
Iron Bank:
- [ ] Merge contributor branch to `development`
@@ -17,7 +17,7 @@ Iron Bank:
- [ ] Send approval request to Authorizing Official
- [ ] Merge `development` to `master` and close issue after approval from Authorizing Official
-> Note: If the above approval process is rejected for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Approval` label.
+> Note: If the above approval process is rejected for any reason, the `Hardening::Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Hardening::Approval` label.
## Questions?
@@ -26,9 +26,5 @@ Contact the Iron Bank team by commenting on this issue with your questions or co
Additionally, Iron Bank hosts an [AMA](https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo) working session every Wednesday from 1630-1730EST to answer questions.
-
-
-
-
-
/label ~"Container::Initial"
+
diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md
index a411b821c00db1fae65eec86a9cea0a25846d5f0..69d6d95bcc3618de05a630c3e5154119d2cfbda9 100644
--- a/.gitlab/issue_templates/Application - Update.md
+++ b/.gitlab/issue_templates/Application - Update.md
@@ -11,7 +11,7 @@ Contributor:
- [ ] Ensure container builds successfully in the Iron Bank pipeline
- [ ] Provide justifications for findings in the [VAT](https://vat.dso.mil) ([docs](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/vat.md))
- [ ] Open a Merge Request from your branch to `development`
-- [ ] Apply the ~"Approval" label to this issue and wait for feedback
+- [ ] Apply the ~"Hardening::Review" label to this issue and wait for feedback
Iron Bank:
- [ ] Merge contributor branch to `development`
@@ -19,7 +19,7 @@ Iron Bank:
- [ ] Send approval request to Authorizing Official
- [ ] Merge `development` to `master` and close issue after approval from Authorizing Official
-> Note: If the above approval process is rejected for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Approval` label.
+> Note: If the above approval process is rejected for any reason, the `Hardening::Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Hardening::Approval` label.
## Questions?
@@ -28,9 +28,4 @@ Contact the Iron Bank team by commenting on this issue with your questions or co
Additionally, Iron Bank hosts an [AMA](https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo) working session every Wednesday from 1630-1730EST to answer questions.
-
-
-
-
-
/label ~"Container::Update"
diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md
index ae8011ecfe1e0b95ed4c5658c122d47e21b89b1a..8dd13f15b51409d1dff2dff385a88e5e57d3031e 100644
--- a/.gitlab/issue_templates/Onboarding Question.md
+++ b/.gitlab/issue_templates/Onboarding Question.md
@@ -8,5 +8,6 @@
-/label ~"Question::Onboarding" ~"To Do"
-/cc @ironbank-notifications/onboarding
\ No newline at end of file
+/label ~"Question::Onboarding" ~"CSO::To Do"
+/cc @ironbank-notifications/onboarding
+/assign @ironbank-notifications/onboarding
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..360eb3c1b8bf73666326f5413444f8ad545ac15a
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,33 @@
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
+ARG BASE_TAG=8.6
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+COPY vault.zip /tmp
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+RUN dnf update -y && \
+ dnf install -y unzip && \
+ dnf clean all && \
+ unzip -d /bin /tmp/vault.zip && \
+ chmod +x /bin/vault && \
+ chmod 755 /usr/local/bin/docker-entrypoint.sh && \
+ rm /tmp/vault.zip && \
+ groupadd -g 1001 vault && \
+ useradd -r -u 1001 -m -s /sbin/nologin -g vault vault && \
+ mkdir -p /vault/logs && \
+ mkdir -p /vault/file && \
+ mkdir -p /vault/config && \
+ chown -R vault:vault /vault
+
+EXPOSE 8200
+USER vault
+
+HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \
+ CMD curl -f http://localhost:8200/v1/sys/health?standbyok=true || exit 1
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["vault"]
+
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..e3797c2df48397547ac059b948460716ec6f589a
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1 @@
+This HashiCorp enterprise software is for use only by customers who have a valid and active license agreement with HashiCorp or an authorized HashiCorp reseller. If you do not have a valid license to use this software, you may not download or otherwise use it. All use of this software is subject to the terms and conditions of your license agreement, and all other rights are expressly reserved.
diff --git a/README.md b/README.md
index 5dc6fa6db4361c22da2f35edf0544d83ba6001e2..81363f22c789c44a273caffcb51337ed8deaa2d3 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,16 @@
-# <application name>
+# vault-enterprise FIPS
-Project template for all Iron Bank container repositories.
\ No newline at end of file
+Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
+
+https://www.hashicorp.com/blog/hashicorp-vault-1-10-achieves-fips-140-2-compliance
+
+### Vault Documentation
+
+- [Vault Official Site](https://www.vaultproject.io/)
+- [Hashicorp's Vault Courses](https://learn.hashicorp.com/vault)
+
+#### Installation
+
+- Installation - <https://www.vaultproject.io/docs/install/index.html>
+- Commands - <https://www.vaultproject.io/docs/commands/index.html>
+- Configuration - <https://www.vaultproject.io/docs/configuration/index.html>
\ No newline at end of file
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4dc9f20f3fc81ba3fad7c20c7c67f601b85563a9
--- /dev/null
+++ b/hardening_manifest.yaml
@@ -0,0 +1,54 @@
+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "hashicorp/vault-enterprise-fips"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+ - "1.10.5"
+ - "1.10"
+
+# Build args passed to Dockerfile ARGs
+args:
+ BASE_IMAGE: "redhat/ubi/ubi8"
+ BASE_TAG: "8.6"
+
+# Docker image labels
+labels:
+ # Name of the image
+ org.opencontainers.image.title: "vault-enterprise"
+ # Human-readable description of the software packaged in the image
+ org.opencontainers.image.description: "Vault Enterprise"
+ # License(s) under which contained software is distributed
+ org.opencontainers.image.licenses: "MPL-2.0"
+ # URL to find more information on the image
+ org.opencontainers.image.url: "https://www.vaultproject.io/"
+ # Name of the distributing entity, organization or individual
+ org.opencontainers.image.vendor: "HashiCorp"
+ # Authoritative version of the software
+ org.opencontainers.image.version: "1.10.5+ent.fips1402"
+ # Keywords to help with search (ex. "cicd,gitops,golang")
+ mil.dso.ironbank.image.keywords: "vault,secrets,golang,kubernetes"
+ # This value can be "opensource" or "commercial"
+ mil.dso.ironbank.image.type: "commercial"
+ # Product the image belongs to for grouping multiple images
+ mil.dso.ironbank.product.name: "vault"
+
+# List of resources to make available to the offline build context
+resources:
+ - url: "https://releases.hashicorp.com/vault/1.10.5+ent.fips1402/vault_1.10.5+ent.fips1402_linux_amd64.zip"
+ filename: "vault.zip" # [required field] desired staging name for the build context
+ validation:
+ type: "sha256" # supported: sha256, sha512
+ value: "b81532ee93c4d5818236052292965f4a06214e53e7a61b89380e03befb5d320b" # must be lowercase
+
+# List of project maintainers
+maintainers:
+ - email: "ironbank-notifications@hashicorp.com"
+ # The name of the current container owner
+ name: "Engineering Services"
+ # The gitlab username of the current container owner
+ username: "hc-engserv"
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000000000000000000000000000000000000..9ba62052bfccc5c10f09fa5f411fd558a6b148d3
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,41 @@
+{
+ "assignees": [
+ "@sean.melissari"
+ ],
+ "baseBranches": [
+ "development"
+ ],
+ "regexManagers": [
+ {
+ "fileMatch": [
+ "^Dockerfile$"
+ ],
+ "matchStrings": [
+ "version=\"(?<currentValue>.*?)\""
+ ],
+ "depNameTemplate": "vault-enterprise",
+ "datasourceTemplate": "docker"
+ },
+ {
+ "fileMatch": [
+ "^hardening_manifest.yaml$"
+ ],
+ "matchStrings": [
+ "org\\.opencontainers\\.image\\.version:\\s+(\\s|\"|')?(?<currentValue>.+?)(\\s|\"|'|$)"
+ ],
+ "depNameTemplate": "vault-enterprise",
+ "datasourceTemplate": "docker"
+ },
+ {
+ "fileMatch": [
+ "^hardening_manifest.yaml$"
+ ],
+ "matchStrings": [
+ "tags:\\s+-(\\s|\"|')+(?<currentValue>.+?)(\\s|\"|'|$)+"
+ ],
+ "depNameTemplate": "vault-enterprise",
+ "datasourceTemplate": "docker"
+ }
+ ]
+ }
+
\ No newline at end of file
diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c3b8104ea87731fbc575a174884f7ce1fc2fde4a
--- /dev/null
+++ b/scripts/docker-entrypoint.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+
+# Prevent core dumps
+ulimit -c 0
+
+# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface
+# name instead of an IP address. The interface name is specified using
+# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
+# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
+# number with the IP of the named interface.
+export VAULT_ADDR=http://127.0.0.1:8200
+
+get_addr () {
+ local if_name=$1
+ local uri_template=$2
+ ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+ ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
+ print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
+ exit}'
+}
+
+if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
+ export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+ echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
+fi
+if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
+ export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+ echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
+fi
+
+# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional
+# config files in there if you use this image as a base, or use
+# VAULT_LOCAL_CONFIG below.
+VAULT_CONFIG_DIR=/vault/config
+
+# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some
+# Vault configuration JSON without having to bind any volumes.
+if [ -n "$VAULT_LOCAL_CONFIG" ]; then
+ echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json"
+fi
+
+# If the user is trying to run Vault directly with some arguments, then
+# pass them to Vault.
+if [ "${1:0:1}" = '-' ]; then
+ set -- vault "$@"
+fi
+
+# Look for Vault subcommands.
+if [ "$1" = 'server' ]; then
+ shift
+ set -- vault server \
+ -config="$VAULT_CONFIG_DIR" \
+ -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
+ -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
+ "$@"
+elif [ "$1" = 'version' ]; then
+ # This needs a special case because there's no help output.
+ set -- vault "$@"
+elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
+ # We can't use the return code to check for the existence of a subcommand, so
+ # we have to use grep to look for a pattern in the help output.
+ set -- vault "$@"
+fi
+
+# If we are running Vault, make sure it executes as the proper user.
+if [ "$1" = 'vault' ]; then
+ if [ -z "$SKIP_CHOWN" ]; then
+ # If the config dir is bind mounted then chown it
+ if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+ chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+ fi
+
+ # If the logs dir is bind mounted then chown it
+ if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+ chown -R vault:vault /vault/logs
+ fi
+
+ # If the file dir is bind mounted then chown it
+ if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+ chown -R vault:vault /vault/file
+ fi
+ fi
+
+ # if [ -z "$SKIP_SETCAP" ]; then
+ # # Allow mlock to avoid swapping Vault memory to disk
+ # setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+ # # In the case vault has been started in a container without IPC_LOCK privileges
+ # if ! vault -version 1>/dev/null 2>/dev/null; then
+ # >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+ # setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+ # fi
+ # fi
+
+ # if [ "$(id -u)" = '0' ]; then
+ # set -- su-exec vault "$@"
+ # fi
+fi
+
+exec "$@"
\ No newline at end of file