Make Hashicorp Vault work in dev server mode

README.md

@@ -115,24 +115,16 @@ The services access Redis from their containers as `redis:6397`
 
 ### Hashicorp Vault
 
-When the vault is first started with docker-compose on your local machine,
-it's not yet initialized. To initialize it and get a vault token which can be used
-by the [signer](../signer) service, you should open the Vault UI and follow the
-initial steps to generate a token. The token then must be set as a value for the
-ENV variable VAULT_TOKEN in [signer.env](./env/signer.env)
-
-Vault UI is exposed at http://0.0.0.0:8200/ui/vault
-
-Setting Vault __(only for local env)__:
-1. On the first screen of the Vault Web UI enter "Key shares" = 1 and "Key threshold" = 1
-1. Click Initialize
-1. Save key/token
-1. Unseal Vault by using the key
-1. Sign in by using the token (the same one you need for VAULT_TOKEN env variable)
-1. On the "Secrets" tab click "Enable new engine" => "transit" => "next" => "Enable engine"
-1. Click "Create encryption key" enter name "key1"
-1. For "Type" use one of the options in [signer.env](./env/signer.env) for VAULT_SUPPORTED_KEYS
-1. Click "Create encryption key"
+The vault in the local docker-compose environment is started in 
+[dev](https://developer.hashicorp.com/vault/docs/concepts/dev-server) server mode.
+It starts with a predefined root token with value `root` which should be given to the
+services which want to interact with the vault. The vault is automatically
+unsealed, so once running it should be ready for use. 
+
+Vault UI is exposed at http://localhost:8200/ui/vault, and you can sign-in there with
+the `root` token.
+
+> Warning: Never use Vault DEV mode in production!
 
 ### License
 

docker-compose.yml

@@ -93,6 +93,7 @@ services:
       - "2112:2112"
     depends_on:
       - vault
+      - vault-init
 
   didresolver:
     container_name: didresolver
@@ -151,9 +152,8 @@ services:
     container_name: vault
     image: vault:1.10.3
     environment:
-      VAULT_ADDR: ":8200"
+      VAULT_ADDR: "http://0.0.0.0:8200"
       VAULT_API_ADDR: "http://0.0.0.0:8200"
-      VAULT_DEV_ROOT_TOKEN_ID: root
     ports:
       - "8200:8200"
     volumes:
@@ -161,7 +161,17 @@ services:
       - ./vault:/vault/config:rw
     cap_add:
       - IPC_LOCK
-    entrypoint: vault server -config=/vault/config/config.json
+    entrypoint: vault server -dev -dev-listen-address="0.0.0.0:8200" -dev-root-token-id="root"
+
+  vault-init:
+    container_name: vault-init
+    image: vault:1.10.3
+    volumes:
+      - ./vault/vault-init.sh:/vault-init.sh
+    depends_on:
+      - vault
+    restart: "no"
+    entrypoint: sh -c "/vault-init.sh"
 
   nats:
     hostname: nats

env/signer.env

@@ -5,7 +5,7 @@ HTTP_IDLE_TIMEOUT="120s"
 HTTP_READ_TIMEOUT="10s"
 HTTP_WRITE_TIMEOUT="10s"
 VAULT_ADDR="http://vault:8200"
-VAULT_TOKEN=
+VAULT_TOKEN=root
 VAULT_SIGNING_KEY="key1"
 VAULT_SUPPORTED_KEYS="ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521"
 CREDENTIAL_ISSUER="did:web:17a1-2a00-4802-2c0-9295-59ff-6a60-b735-32ea.eu.ngrok.io:policy:policy:example:returnDID:1.0:evaluation"

vault/vault-init.sh

+#! /bin/sh
+
+set -e
+
+export VAULT_ADDR=http://vault:8200
+
+# give some time for Vault to start and be ready
+sleep 3
+
+vault login root
+
+# enable vault transit engine
+vault secrets enable transit
+
+# create key1 with type ed25519
+vault write -f transit/keys/key1 type=ed25519
+
+# create key2 with type ecdsa-p256
+vault write -f transit/keys/key2 type=ecdsa-p256