# Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 ## DOCKERHUB DOCKERFILE ## FROM alpine:3.18 as default ARG BIN_NAME # NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com # and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3. ARG NAME=vault ARG PRODUCT_VERSION ARG PRODUCT_REVISION # TARGETARCH and TARGETOS are set automatically when --platform is provided. ARG TARGETOS TARGETARCH # Additional metadata labels used by container registries, platforms # and certification scanners. LABEL name="Vault" \ maintainer="Vault Team " \ vendor="HashiCorp" \ version=${PRODUCT_VERSION} \ release=${PRODUCT_REVISION} \ revision=${PRODUCT_REVISION} \ summary="Vault is a tool for securely accessing secrets." \ description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log." COPY LICENSE /licenses/mozilla.txt # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD ENV NAME=$NAME ENV VERSION=$VERSION # Create a non-root user to run the software. RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME} RUN apk add --no-cache libcap su-exec dumb-init tzdata COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ # /vault/logs is made available to use as a location to store audit logs, if # desired; /vault/file is made available to use as a location with the file # storage backend, if desired; the server will be started with /vault/config as # the configuration directory so you can add additional config files in that # location. RUN mkdir -p /vault/logs && \ mkdir -p /vault/file && \ mkdir -p /vault/config && \ chown -R ${NAME}:${NAME} /vault # Expose the logs directory as a volume since there's potentially long-running # state in there VOLUME /vault/logs # Expose the file directory as a volume since there's potentially long-running # state in there VOLUME /vault/file # 8200/tcp is the primary interface that applications use to interact with # Vault. EXPOSE 8200 # The entry point script uses dumb-init as the top-level process to reap any # zombie processes created by Vault sub-processes. # # For production derivatives of this container, you shoud add the IPC_LOCK # capability so that Vault can mlock memory. COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh ENTRYPOINT ["docker-entrypoint.sh"] # # By default you'll get a single-node development server that stores everything # # in RAM and bootstraps itself. Don't use this configuration for production. CMD ["server", "-dev"] ## UBI DOCKERFILE ## FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as ubi ARG BIN_NAME # PRODUCT_VERSION is the version built dist/$TARGETOS/$TARGETARCH/$BIN_NAME, # which we COPY in later. Example: PRODUCT_VERSION=1.2.3. ARG PRODUCT_VERSION ARG PRODUCT_REVISION # TARGETARCH and TARGETOS are set automatically when --platform is provided. ARG TARGETOS TARGETARCH # Additional metadata labels used by container registries, platforms # and certification scanners. LABEL name="Vault" \ maintainer="Vault Team " \ vendor="HashiCorp" \ version=${PRODUCT_VERSION} \ release=${PRODUCT_REVISION} \ revision=${PRODUCT_REVISION} \ summary="Vault is a tool for securely accessing secrets." \ description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log." COPY LICENSE /licenses/mozilla.txt # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD ENV NAME=$NAME ENV VERSION=$VERSION # Set up certificates, our base tools, and Vault. Unlike the other version of # this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile), # we copy in the Vault binary from CRT. RUN set -eux; \ microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux # Create a non-root user to run the software. RUN groupadd --gid 1000 vault && \ adduser --uid 100 --system -g vault vault && \ usermod -a -G root vault # Copy in the new Vault from CRT pipeline, rather than fetching it from our # public releases. COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ # /vault/logs is made available to use as a location to store audit logs, if # desired; /vault/file is made available to use as a location with the file # storage backend, if desired; the server will be started with /vault/config as # the configuration directory so you can add additional config files in that # location. ENV HOME /home/vault RUN mkdir -p /vault/logs && \ mkdir -p /vault/file && \ mkdir -p /vault/config && \ mkdir -p $HOME && \ chown -R vault /vault && chown -R vault $HOME && \ chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \ chgrp -R 0 /vault && chmod -R g+rwX /vault # Expose the logs directory as a volume since there's potentially long-running # state in there VOLUME /vault/logs # Expose the file directory as a volume since there's potentially long-running # state in there VOLUME /vault/file # 8200/tcp is the primary interface that applications use to interact with # Vault. EXPOSE 8200 # The entry point script uses dumb-init as the top-level process to reap any # zombie processes created by Vault sub-processes. # # For production derivatives of this container, you shoud add the IPC_LOCK # capability so that Vault can mlock memory. COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh ENTRYPOINT ["docker-entrypoint.sh"] # Use the Vault user as the default user for starting this container. USER vault # # By default you'll get a single-node development server that stores everything # # in RAM and bootstraps itself. Don't use this configuration for production. CMD ["server", "-dev"]