Merge branch '2-vault-dev-server' into 'main'

Make Hashicorp Vault work in dev server mode Closes #2 See merge request gaia-x/data-infrastructure-federation-services/tsa/workspace!1

Merge branch '2-vault-dev-server' into 'main'
47729a11 · Lyuben Penkovski · d6eece1e · c6386221 · 47729a11 · 47729a11
Commit 47729a11 authored 2 years ago by Lyuben Penkovski
--- a/README.md
+++ b/README.md
@@ -115,24 +115,16 @@ The services access Redis from their containers as `redis:6397`
 ### Hashicorp Vault
-When the vault is first started with docker-compose on your local machine,
+The vault in the local docker-compose environment is started in 
-it's not yet initialized. To initialize it and get a vault token which can be used
+[dev](https://developer.hashicorp.com/vault/docs/concepts/dev-server) server mode.
-by the [signer](../signer) service, you should open the Vault UI and follow the
+It starts with a predefined root token with value `root` which should be given to the
-initial steps to generate a token. The token then must be set as a value for the
+services which want to interact with the vault. The vault is automatically
-ENV variable VAULT_TOKEN in [signer.env](./env/signer.env)
+unsealed, so once running it should be ready for use. 
-Vault UI is exposed at http://0.0.0.0:8200/ui/vault
+Vault UI is exposed at http://localhost:8200/ui/vault, and you can sign-in there with
+the `root` token.
-Setting Vault __(only for local env)__:
-1. On the first screen of the Vault Web UI enter "Key shares" = 1 and "Key threshold" = 1
+> Warning: Never use Vault DEV mode in production!
-1. Click Initialize
-1. Save key/token
-1. Unseal Vault by using the key
-1. Sign in by using the token (the same one you need for VAULT_TOKEN env variable)
-1. On the "Secrets" tab click "Enable new engine" => "transit" => "next" => "Enable engine"
-1. Click "Create encryption key" enter name "key1"
-1. For "Type" use one of the options in [signer.env](./env/signer.env) for VAULT_SUPPORTED_KEYS
-1. Click "Create encryption key"
 ### License

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -93,6 +93,7 @@ services:
      - "2112:2112"
    depends_on:
      - vault
+      - vault-init
  didresolver:
    container_name: didresolver
@@ -151,9 +152,8 @@ services:
    container_name: vault
    image: vault:1.10.3
    environment:
-      VAULT_ADDR: ":8200"
+      VAULT_ADDR: "http://0.0.0.0:8200"
      VAULT_API_ADDR: "http://0.0.0.0:8200"
-      VAULT_DEV_ROOT_TOKEN_ID: root
    ports:
      - "8200:8200"
    volumes:
@@ -161,7 +161,17 @@ services:
      - ./vault:/vault/config:rw
    cap_add:
      - IPC_LOCK
-    entrypoint: vault server -config=/vault/config/config.json
+    entrypoint: vault server -dev -dev-listen-address="0.0.0.0:8200" -dev-root-token-id="root"
+  vault-init:
+    container_name: vault-init
+    image: vault:1.10.3
+    volumes:
+      - ./vault/vault-init.sh:/vault-init.sh
+    depends_on:
+      - vault
+    restart: "no"
+    entrypoint: sh -c "/vault-init.sh"
  nats:
    hostname: nats

--- a/env/signer.env
+++ b/env/signer.env
@@ -5,7 +5,7 @@ HTTP_IDLE_TIMEOUT="120s"
 HTTP_READ_TIMEOUT="10s"
 HTTP_WRITE_TIMEOUT="10s"
 VAULT_ADDR="http://vault:8200"
-VAULT_TOKEN=
+VAULT_TOKEN=root
 VAULT_SIGNING_KEY="key1"
 VAULT_SUPPORTED_KEYS="ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521"
 CREDENTIAL_ISSUER="did:web:17a1-2a00-4802-2c0-9295-59ff-6a60-b735-32ea.eu.ngrok.io:policy:policy:example:returnDID:1.0:evaluation"
--- a/vault/vault-init.sh
+++ b/vault/vault-init.sh
+#! /bin/sh
+set -e
+export VAULT_ADDR=http://vault:8200
+# give some time for Vault to start and be ready
+sleep 3
+vault login root
+# enable vault transit engine
+vault secrets enable transit
+# create key1 with type ed25519
+vault write -f transit/keys/key1 type=ed25519
+# create key2 with type ecdsa-p256
+vault write -f transit/keys/key2 type=ecdsa-p256