upgrade vault to 0.9.0

vault/Dockerfile

@@ -5,25 +5,26 @@
 FROM alpine
 MAINTAINER kev <noreply@easypi.pro>
 
-ENV VAULT_VER 0.5.2
+ENV VAULT_VER=0.9.0
-ENV VAULT_URL https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip
+ENV VAULT_URL=https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip
-ENV VAULT_MD5 7d0f546d19c8e7e1eb5f8856bfa4cc29
+ENV VAULT_MD5=6db0a01b144c73b0633bbcd69175cd2c
-ENV VAULT_FILE vault.zip
-ENV VAULT_ADDR https://127.0.0.1:8200
 
 RUN set -xe \
     && apk add -U ca-certificates \
-    && wget -O $VAULT_FILE $VAULT_URL \
+    && wget -O vault.zip $VAULT_URL \
-    && echo "$VAULT_MD5  $VAULT_FILE" | md5sum -c \
+    && echo "$VAULT_MD5  vault.zip" | md5sum -c \
-    && unzip $VAULT_FILE -d /usr/bin/ \
+    && unzip vault.zip -d /usr/bin/ \
     && chmod +x /usr/bin/vault \
     && apk del ca-certificates \
-    && rm $VAULT_FILE /var/cache/apk/*
+    && rm vault.zip /var/cache/apk/*
 
-COPY vault /etc/vault
+COPY ./data/etc /etc/vault
-
+VOLUME /etc/vault /var/lib/vault /var/log/vault
-VOLUME /etc/vault /var/lib/vault
 
 EXPOSE 8200
 
-CMD ["vault", "server", "-config=/etc/vault/vault.hcl"]
+ENV VAULT_ADDR=https://127.0.0.1:8200
+ENV VAULT_SKIP_VERIFY=1
+
+ENTRYPOINT ["vault"]
+CMD ["server", "-config=/etc/vault/vault.hcl"]

vault/README.md

@@ -10,14 +10,15 @@ providing tight access control and recording a detailed audit log.
 
 ## docker-compose.yml
 
-```
+```yaml
 vault:
   image: vimagick/vault
   ports:
     - "8200:8200"
   volumes:
-    - vault/vault.crt:/etc/vault/vault.crt
+    - ./data/etc:/etc/vault
-    - vault/vault.key:/etc/vault/vault.key
+    - ./data/var:/var/lib/vault
+    - ./data/log:/var/log/vault
   cap_add:
     - IPC_LOCK
   restart: always
@@ -27,30 +28,32 @@ vault:
 
 ## server
 
-```
+```bash
 $ cd ~/fig/vault
-$ mkdir vault
+$ mkdir data
-$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt
+$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout data/etc/vault.key -out data/etc/vault.crt
 $ docker-compose up -d
 $ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/
 $ docker exec -it vault_vault_1 sh
 >>> cd /etc/vault
->>> vault init -tls-skip-verify -key-shares=5 -key-threshold=3 | tee vault.secret
+>>> vault init -key-shares=5 -key-threshold=3 | tee vault.secret
 >>> exit
-$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault
+$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault /var/log/vault
 ```
 
 > Split `vault.secret`, keep them a secret.
 
 ## client
 
-```
+```bash
 $ export VAULT_ADDR='https://server:8200'
-$ cp ~/fig/vault/vault/vault.crt /etc/ssl/certs/vault.pem
+$ export VAULT_SKIP_VERIFY=0
+$ cp ~/fig/vault/data/etc/vault.crt /etc/ssl/certs/vault.pem
 $ update-ca-certificates
 $ vault status
 $ vault unseal && vault unseal && vault unseal
 $ vault auth
+$ vault audit-enable file file_path=/var/log/vault/audit.log
 $ vault write secret/name key=value
 $ vault read secret/name
 $ vault seal

vault/docker-compose.yml

@@ -3,8 +3,9 @@ vault:
   ports:
     - "8200:8200"
   volumes:
-    - ./vault/vault.crt:/etc/vault/vault.crt
+    - ./data/etc:/etc/vault
-    - ./vault/vault.key:/etc/vault/vault.key
+    - ./data/var:/var/lib/vault
+    - ./data/log:/var/log/vault
   cap_add:
     - IPC_LOCK
   restart: always