feat: use quorum hashicorp plugin image (#451)

deps/hashicorp/docker-compose.yml

@@ -8,112 +8,106 @@ x-container-common: &container-common
 services:
   hashicorp:
     <<: *container-common
-    image: library/vault:1.8.2
+    image: consensys/quorum-hashicorp-vault-plugin:v1.1.3
     tty: true
     cap_add:
       - IPC_LOCK
     volumes:
       - hashicorp-plugin:/vault/plugins
       - ./config/config.hcl:/vault/config.hcl:ro
-    entrypoint: vault server -config=/vault/config.hcl
+      - ./scripts/agent-init.sh:/usr/local/bin/kvv2-init.sh
+    environment:
+      VAULT_ADDR: http://hashicorp:8200
+      VAULT_IS_READY: /vault/token/.ready
+      ROOT_TOKEN_PATH: /vault/token/.root
+    entrypoint:
+      - sh
+      - -c
+      - |
+        ( sleep 2 && vault-init.sh && kvv2-init.sh && cat > $${VAULT_IS_READY} ) &
+         vault server -config=/vault/config.hcl
     ports:
       - 8200:8200
 
-  hashicorp-tls:
+  hashicorp-agent:
     <<: *container-common
-    image: library/vault:1.8.2
-    container_name: hashicorp
+    image: consensys/quorum-hashicorp-vault-plugin:v1.1.3
     tty: true
+    depends_on:
+      - hashicorp
     cap_add:
       - IPC_LOCK
+    environment:
+      ROOT_TOKEN_PATH: /vault/token/.root
+      VAULT_ADDR: http://vault:8200
+      SECRET_FILE_PATH: /vault/token/secret
+      ROLE_FILE_PATH: /vault/token/role
+      VAULT_IS_READY: /vault/token/.ready
     volumes:
-      - hashicorp-plugin:/vault/plugins
-      - ./tls:/vault/tls:ro
-      - ./config/config-tls.hcl:/vault/config.hcl:ro
-      - ./tls/ca.crt:/etc/ssl/certs/vault.crt
-    entrypoint: vault server -config=/vault/config.hcl
-    ports:
-      - 8200:8200
+      - hashicorp-token:/vault/token
+      - ./config/agent-config.hcl:/vault/config.hcl:ro
+      - ./scripts/agent-init.sh:/usr/local/bin/agent-init.sh
+    entrypoint:
+      - sh
+      - -c
+      - |
 
-  hashicorp-init-tls:
+        until [ -f ${VAULT_IS_READY} ]; do
+          echo "[AGENT] waiting for vault to be ready..."
+          sleep 1
+        done
+
+        agent-init.sh
+        vault agent -config=/vault/config.hcl
+
+  hashicorp-tls:
     <<: *container-common
-    build: .
-    container_name: hashicorp-init
+    image: consensys/quorum-hashicorp-vault-plugin:v1.1.3
+    container_name: hashicorp
+    tty: true
+    cap_add:
+      - IPC_LOCK
     environment:
-      VAULT_ADDR: ${VAULT_ADDR-https://hashicorp:8200}
+      VAULT_ADDR: https://hashicorp:8200
+      VAULT_IS_READY: /vault/token/.ready
+      ROOT_TOKEN_PATH: /vault/token/.root
       VAULT_CACERT: ${VAULT_CACERT-/vault/tls/ca.crt}
       VAULT_CLIENT_CERT: ${VAULT_CLIENT_CERT-/vault/tls/client.crt}
       VAULT_CLIENT_KEY: ${VAULT_CLIENT_KEY-/vault/tls/client.key}
-      PLUGIN_PATH: ${PLUGIN_PATH-/vault/plugins}
-      TOKEN_PATH: ${TOKEN_PATH-/vault/token}
-      PLUGIN_VERSION: ${PLUGIN_VERSION-v1.0.0}
-    restart: "no"
-    depends_on:
-      - hashicorp-tls
-    volumes:
-      - hashicorp-token:/vault/token
-      - hashicorp-plugin:/vault/plugins
-      - ./scripts/init-tls.sh:/init.sh
-      - ./scripts/plugin.sh:/plugin.sh
-      - ./tls/ca.crt:/vault/tls/ca.crt:ro
-      - ./tls/client.crt:/vault/tls/client.crt:ro
-      - ./tls/client.key:/vault/tls/client.key:ro
-    command: >
-      sh -c "./plugin.sh && ./init.sh"
-
-  hashicorp-init:
-    <<: *container-common
-    build: .
-    environment:
-      VAULT_ADDR: ${VAULT_ADDR-http://hashicorp:8200}
-      PLUGIN_PATH: ${PLUGIN_PATH-/vault/plugins}
-      TOKEN_PATH: ${TOKEN_PATH-/vault/token}
-      PLUGIN_VERSION: ${PLUGIN_VERSION-v1.0.0}
-    restart: "no"
-    depends_on:
-      - hashicorp
     volumes:
-      - hashicorp-token:/vault/token
       - hashicorp-plugin:/vault/plugins
-      - ./scripts/init.sh:/init.sh
-      - ./scripts/plugin.sh:/plugin.sh
-    command: >
-      sh -c "./plugin.sh && ./init.sh"
+      - ./tls:/vault/tls:ro
+      - ./config/config-tls.hcl:/vault/config.hcl:ro
+      - ./tls/ca.crt:/etc/ssl/certs/vault.crt
+    entrypoint:
+      - sh
+      - -c
+      - |
+        ( sleep 2 && vault-init.sh && kvv2-init.sh && cat > $${VAULT_IS_READY} ) &
+         vault server -config=/vault/config.hcl
+    ports:
+      - 8200:8200
 
   hashicorp-agent-tls:
     <<: *container-common
-    container_name: hashicorp-agent
-    environment:
-      VAULT_ADDR: ${VAULT_ADDR-https://hashicorp:8202}
-      VAULT_CACERT: ${VAULT_CACERT-/vault/tls/ca.crt}
-    image: library/vault:1.8.2
+    image: consensys/quorum-hashicorp-vault-plugin:v1.1.3
     tty: true
+    container_name: hashicorp-agent
     depends_on:
       - hashicorp-tls
-      - hashicorp-init-tls
     cap_add:
       - IPC_LOCK
+    environment:
+      VAULT_ADDR: ${VAULT_ADDR-https://hashicorp:8202}
+      VAULT_CACERT: ${VAULT_CACERT-/vault/tls/ca.crt}
+      VAULT_CLIENT_CERT: ${VAULT_CLIENT_CERT-/vault/tls/client.crt}
+      VAULT_CLIENT_KEY: ${VAULT_CLIENT_KEY-/vault/tls/client.key}
     volumes:
       - hashicorp-token:/vault/token
       - ./config/agent-config-tls.hcl:/vault/config.hcl:ro
       - ./tls:/vault/tls:ro
     entrypoint: vault agent -config=/vault/config.hcl
 
-  hashicorp-agent:
-    <<: *container-common
-    environment:
-      VAULT_ADDR: ${VAULT_ADDR-http://hashicorp:8200}
-    image: library/vault:1.8.2
-    tty: true
-    depends_on:
-      - hashicorp
-      - hashicorp-init
-    cap_add:
-      - IPC_LOCK
-    volumes:
-      - hashicorp-token:/vault/token
-      - ./config/agent-config.hcl:/vault/config.hcl:ro
-    entrypoint: vault agent -config=/vault/config.hcl
 
 volumes:
   hashicorp-token:

deps/hashicorp/scripts/agent-init.sh

@@ -0,0 +1,38 @@
+VAULT_TOKEN=$(cat "${ROOT_TOKEN_PATH}")
+
+VAULT_SSL_PARAMS=""
+if [ -n "$VAULT_CACERT" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --cacert $VAULT_CACERT"
+fi  
+
+if [ -n "$VAULT_CLIENT_CERT" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --cert $VAULT_CLIENT_CERT"
+fi     
+
+if [ -n "$VAULT_CLIENT_KEY" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --key $VAULT_CLIENT_KEY"
+fi   
+
+curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST ${VAULT_SSL_PARAMS} \
+  --data '{"type": "approle"}' \
+  ${VAULT_ADDR}/v1/sys/auth/approle
+
+curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request PUT ${VAULT_SSL_PARAMS} \
+  --data '{ "policy":"path \"'"${PLUGIN_MOUNT_PATH}/*"'\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"] }" }' \
+  ${VAULT_ADDR}/v1/sys/policies/acl/allow_secrets
+
+curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request POST ${VAULT_SSL_PARAMS} \
+  --data '{"policies": ["allow_secrets"]}' \
+  ${VAULT_ADDR}/v1/auth/approle/role/key-manager
+
+curl -s --header "X-Vault-Token: $VAULT_TOKEN" ${VAULT_SSL_PARAMS} \
+  ${VAULT_ADDR}/v1/auth/approle/role/key-manager/role-id > role.json
+ROLE_ID=$(cat role.json | jq .data.role_id | tr -d '"')
+echo $ROLE_ID > ${ROLE_FILE_PATH}
+rm role.json
+
+curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request POST ${VAULT_SSL_PARAMS} \
+  ${VAULT_ADDR}/v1/auth/approle/role/key-manager/secret-id > secret.json
+SECRET_ID=$(cat secret.json | jq .data.secret_id | tr -d '"')
+echo $SECRET_ID > ${SECRET_FILE_PATH}
+rm secret.json

deps/hashicorp/scripts/kvv2-init.sh

@@ -0,0 +1,18 @@
+VAULT_SSL_PARAMS=""
+if [ -n "$VAULT_CACERT" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --cacert $VAULT_CACERT"
+fi  
+
+if [ -n "$VAULT_CLIENT_CERT" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --cert $VAULT_CLIENT_CERT"
+fi     
+
+if [ -n "$VAULT_CLIENT_KEY" ]; then
+ VAULT_SSL_PARAMS="$VAULT_SSL_PARAMS --key $VAULT_CLIENT_KEY"
+fi  
+
+# Enable kv-v2 secret engine
+curl --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST ${VAULT_SSL_PARAMS}\
+     --data '{"type": "kv-v2", "config": {"force_no_cache": true} }' \
+     ${VAULT_ADDR}/v1/sys/mounts/secret
+