open-vault/Dockerfile

FROM alpine:3.15 as default

ARG BIN_NAME
# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
ARG NAME=vault
ARG PRODUCT_VERSION
# TARGETARCH and TARGETOS are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH

LABEL maintainer="Vault Team <vault@hashicorp.com>"
LABEL version=${PRODUCT_VERSION}

# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
ENV NAME=$NAME
ENV VERSION=$VERSION

# Create a non-root user to run the software.
RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}

RUN apk add --no-cache libcap su-exec dumb-init tzdata

COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/

# /vault/logs is made available to use as a location to store audit logs, if
# desired; /vault/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /vault/config as
# the configuration directory so you can add additional config files in that
# location.
RUN mkdir -p /vault/logs && \
    mkdir -p /vault/file && \
    mkdir -p /vault/config && \
    chown -R ${NAME}:${NAME} /vault

# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/logs

# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/file

# 8200/tcp is the primary interface that applications use to interact with
# Vault.
EXPOSE 8200

# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by Vault sub-processes.
#
# For production derivatives of this container, you shoud add the IPC_LOCK
# capability so that Vault can mlock memory.
COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]


# # By default you'll get a single-node development server that stores everything
# # in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]
add security-scan for CRT (#13627) * add security-scan * updating the alpine version * clean up * update the alpine version to be more prescriptive 2022-01-31 16:35:25 +00:00			`FROM alpine:3.15 as default`
adding CRT to main branch (#13088) * adding CRT to main branch * cleanup * um i dont know how that got removed but heres the fix * add vault.service Co-authored-by: Kyle Penfound <kpenfound11@gmail.com> 2021-12-06 16:06:22 +00:00
			`ARG BIN_NAME`
rename Dockerfile build-arg VERSION to PRODUCT_VERSION (#14369) 2022-03-10 12:59:30 +00:00			`# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com`
			`# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.`
adding CRT to main branch (#13088) * adding CRT to main branch * cleanup * um i dont know how that got removed but heres the fix * add vault.service Co-authored-by: Kyle Penfound <kpenfound11@gmail.com> 2021-12-06 16:06:22 +00:00			`ARG NAME=vault`
rename Dockerfile build-arg VERSION to PRODUCT_VERSION (#14369) 2022-03-10 12:59:30 +00:00			`ARG PRODUCT_VERSION`
adding CRT to main branch (#13088) * adding CRT to main branch * cleanup * um i dont know how that got removed but heres the fix * add vault.service Co-authored-by: Kyle Penfound <kpenfound11@gmail.com> 2021-12-06 16:06:22 +00:00			`# TARGETARCH and TARGETOS are set automatically when --platform is provided.`
			`ARG TARGETOS TARGETARCH`

			`LABEL maintainer="Vault Team <vault@hashicorp.com>"`
rename Dockerfile build-arg VERSION to PRODUCT_VERSION (#14369) 2022-03-10 12:59:30 +00:00			`LABEL version=${PRODUCT_VERSION}`
adding CRT to main branch (#13088) * adding CRT to main branch * cleanup * um i dont know how that got removed but heres the fix * add vault.service Co-authored-by: Kyle Penfound <kpenfound11@gmail.com> 2021-12-06 16:06:22 +00:00
			`# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD`
			`ENV NAME=$NAME`
			`ENV VERSION=$VERSION`

			`# Create a non-root user to run the software.`
			`RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}`

			`RUN apk add --no-cache libcap su-exec dumb-init tzdata`

			`COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/`

			`# /vault/logs is made available to use as a location to store audit logs, if`
			`# desired; /vault/file is made available to use as a location with the file`
			`# storage backend, if desired; the server will be started with /vault/config as`
			`# the configuration directory so you can add additional config files in that`
			`# location.`
			`RUN mkdir -p /vault/logs && \`
			`mkdir -p /vault/file && \`
			`mkdir -p /vault/config && \`
			`chown -R ${NAME}:${NAME} /vault`

			`# Expose the logs directory as a volume since there's potentially long-running`
			`# state in there`
			`VOLUME /vault/logs`

			`# Expose the file directory as a volume since there's potentially long-running`
			`# state in there`
			`VOLUME /vault/file`

			`# 8200/tcp is the primary interface that applications use to interact with`
			`# Vault.`
			`EXPOSE 8200`

			`# The entry point script uses dumb-init as the top-level process to reap any`
			`# zombie processes created by Vault sub-processes.`
			`#`
			`# For production derivatives of this container, you shoud add the IPC_LOCK`
			`# capability so that Vault can mlock memory.`
			`COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh`
			`ENTRYPOINT ["docker-entrypoint.sh"]`


			`# # By default you'll get a single-node development server that stores everything`
			`# # in RAM and bootstraps itself. Don't use this configuration for production.`
			`CMD ["server", "-dev"]`