Compare commits

...

1 Commits

Author SHA1 Message Date
Bertrand Demiddelaer 90de3a6c16 RELENG-3697 add an hashicorp vault/kmip worker 2020-04-09 14:57:21 +02:00
6 changed files with 164 additions and 0 deletions

View File

@ -0,0 +1,27 @@
FROM ubuntu:bionic
RUN apt-get update
# install requirements
RUN apt-get install --no-install-recommends --assume-yes \
ca-certificates \
curl \
jq \
iproute2 \
net-tools \
nginx \
unzip
# install vault
RUN curl -s -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.3.4+ent/vault_1.3.4+ent_linux_amd64.zip
RUN unzip -p /tmp/vault.zip > /usr/local/bin/vault && chmod u+x /usr/local/bin/vault
# use a volume for vault server data
VOLUME "/mnt/vault/data"
# run
COPY vault.cfg /etc/vault.cfg.template
COPY nginx.conf /etc/nginx/nginx.conf
COPY setup.sh /setup.sh
COPY start.sh /start.sh
CMD ["/start.sh"]

View File

@ -0,0 +1,16 @@
This docker container spawns a hashicorp vault/kmip server for integration
test purpose.
Please note, the server does not setup TLS communication with the clients.
The kmip scope and role are defined at the beginning of the setup.sh script:
SCOPE="scality-s3c"
ROLE="admin"
When running this container, you have to set an environment variable called
"LICENSE" containing the hashicorp vault license. The license value is
available in the CI secrets with the key "hashicorp_vault_license".
The whole container is setup and ready when it is also listening on HTTP. This
should be used to coordinate test start. On this web server, the tester can get
the kmip ca.pem, cert.pem, and key.pem at /ca.pem /cert.pem and /key.pem URIs.

View File

@ -0,0 +1,24 @@
worker_processes 1;
events {
worker_connections 256;
}
http {
access_log /dev/null;
error_log /dev/null;
server {
listen 80;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
}

View File

@ -0,0 +1,61 @@
#!/bin/bash
SCOPE="scality-s3c"
ROLE="admin"
# wait vault server to be up
while true
do
netstat -plnt | grep -q ':8200' && break
sleep 0.1
done
ipv4=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
# find vault server address
export VAULT_ADDR="http://"${ipv4}":8200"
# init vault
vault operator init --format json > /root/operator_init
# unseal
for i in $(seq 0 2); do
key=$(jq -r ".unseal_keys_b64[$i]" /root/operator_init)
vault operator unseal "$key"
done
# set root token
export VAULT_TOKEN=$(jq -r ".root_token" /root/operator_init)
# set license
cat << EOF > /root/license.json
{
"text": "$LICENSE"
}
EOF
curl \
--silent \
--fail \
--show-error \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request PUT \
--data @/root/license.json \
${VAULT_ADDR}/v1/sys/license
# enable kmip
vault secrets enable kmip
# configure kmip
vault write kmip/config listen_addrs=0.0.0.0:5696
vault write -f kmip/scope/${SCOPE}
vault write kmip/scope/${SCOPE}/role/${ROLE} operation_all=true
# generate pem files for the client
vault write kmip/config server_ips=${ipv4}
vault read -format=json kmip/ca | jq -r .data.ca_pem > /var/www/html/ca.pem
vault write -format=json kmip/scope/${SCOPE}/role/${ROLE}/credential/generate cert_format=pem > /root/creds.json
jq -r .data.certificate /root/creds.json > /var/www/html/cert.pem
jq -r .data.private_key /root/creds.json > /var/www/html/key.pem
# make the pem files available for the tester
exec /usr/sbin/nginx

View File

@ -0,0 +1,9 @@
#!/bin/bash
ipv4=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
sed -e "s/__IP_ADDRESS__/${ipv4}/g" /etc/vault.cfg.template > /etc/vault.cfg
/setup.sh &
exec /usr/local/bin/vault server -config /etc/vault.cfg

View File

@ -0,0 +1,27 @@
# set it to true, otherwise vault server complains when running inside a docker container
disable_mlock = true
# fix warning
api_addr = "http://__IP_ADDRESS__:8200/"
ui = true
listener "tcp" {
address = "__IP_ADDRESS__:8200"
#tls_disable = false
#log = debug
tls_disable = 1
tls_skip_verify = 1
tls_cert_file = "/root/hashicorp/server/ca.crt"
tls_key_file = "/root/hashicorp/server/ca.key"
tls_client_ca_file = "/root/hashicorp/server/cacert.pem"
}
storage "file" {
path = "/mnt/vault/data"
}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}