-
Notifications
You must be signed in to change notification settings - Fork 5
/
Dockerfile
49 lines (39 loc) · 1.92 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
FROM golang:1.22.5 AS builder
ENV VAULT_VERSION 1.14.10
WORKDIR /vault
RUN apt update && \
apt install -y git openssh-server gcc musl-dev curl gnupg unzip
# Download Vault and verify checksums (https://www.hashicorp.com/security.html)
COPY resources/hashicorp.asc /tmp/
ADD run.sh /vault
# Build vault-auth-cf-plugin
RUN go install github.com/mitchellh/gox@latest && \
git clone https://github.com/hashicorp/vault-plugin-auth-cf.git && \
cd vault-plugin-auth-cf && \
make test && \
make dev && \
make tools
# Keep the checksum in a file to be used for plugin registration
RUN sha256sum /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf > checksum
# Fix exec permissions issue that come up due to the way source controls deal with executable files.
RUN chmod a+x /vault/run.sh
RUN gpg --import /tmp/hashicorp.asc
RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
RUN curl -Os https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig
# Verify the signature file is untampered.
RUN gpg --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS
# The checksum file has all platforms, we are interested in only linux x64, so only check that one.
RUN grep -E '_linux_amd64' < vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c
RUN unzip vault_${VAULT_VERSION}_linux_amd64.zip
FROM alpine:latest
LABEL maintainer="Andy Lo-A-Foe <[email protected]>"
RUN apk add --no-cache jq ca-certificates curl postgresql-client
WORKDIR /app
COPY --from=builder /vault/vault /app
COPY --from=builder /vault/vault-plugin-auth-cf/bin/vault-plugin-auth-cf /app/plugins/
COPY --from=builder /vault/run.sh /app
COPY --from=builder /vault/checksum /app/checksum
COPY resources/vault-schema.sql /app
EXPOSE 8080
CMD ["/app/run.sh"]