diff --git a/Makefile b/Makefile index 8ffed80..aa1f1d7 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ arch ?= $(arch_tag) BAO_VERSION ?= 2.0.0-alpha20240329 BAO_GPGKEY ?= "" #C874011F0AB405110D02105534365D9472D7468F -BAO_PLUGIN_HASH := "" +VAULT_PLUGIN_HASH := "" EXECUTABLE := hznbaoauth DOCKER_INAME ?= openhorizon/$(arch)_bao @@ -42,10 +42,10 @@ $(EXECUTABLE): $(shell find . -name '*.go') @echo "Producing $(EXECUTABLE) for arch: amd64" $(COMPILE_ARGS) go build -o ./docker/bin/$(EXECUTABLE) -bao-image: OPENBAO_PLUGIN_HASH=$(shell shasum -a 256 ./docker/bin/$(EXECUTABLE) | awk '{ print $$1 }') +bao-image: VAULT_PLUGIN_HASH=$(shell shasum -a 256 ./docker/bin/$(EXECUTABLE) | awk '{ print $$1 }') bao-image: - @echo "Handling $(DOCKER_INAME):$(VERSION) with hash $(OPENBAO_PLUGIN_HASH)" + @echo "Handling $(DOCKER_INAME):$(VERSION) with hash $(VAULT_PLUGIN_HASH)" if [ -n "$(shell docker images | grep '$(DOCKER_INAME):$(VERSION)')" ]; then \ echo "Skipping since $(DOCKER_INAME):$(VERSION) image exists, run 'make clean && make' if a rebuild is desired"; \ elif [[ $(arch) == "amd64" ]]; then \ diff --git a/docker/Dockerfile.ubi.amd64 b/docker/Dockerfile.ubi.amd64 index db4b9a1..a46f500 100644 --- a/docker/Dockerfile.ubi.amd64 +++ b/docker/Dockerfile.ubi.amd64 @@ -12,7 +12,7 @@ COPY LICENSE.txt /licenses ARG BAO_VERSION ARG BAO_GPGKEY ARG ARCH -ARG BAO_PLUGIN_HASH +ARG VAULT_PLUGIN_HASH # Create a bao user and group first so the IDs get set the same way. @@ -48,22 +48,22 @@ RUN set -eux; \ # rm -rf /root/.gnupg && \ microdnf clean all -# /bao/logs is made available to use as a location to store audit logs -# /bao/file is made available to use as a location with the file storage backend -# the server will be started with /bao/config as the configuration directory so you can add additional config files in that location. +# /vault/logs is made available to use as a location to store audit logs +# /vault/file is made available to use as a location with the file storage backend +# the server will be started with /vault/config as the configuration directory so you can add additional config files in that location. RUN useradd -r -u 1000 -g root bao \ && mkdir /home/bao \ && chown -R bao:root /home/bao -ENV BAO_PLUGIN_HASH ${BAO_PLUGIN_HASH} +ENV VAULT_PLUGIN_HASH ${VAULT_PLUGIN_HASH} ENV HOME /home/bao -ENV BAO_PLUGIN_AUTOMTLS_ENABLED false -RUN mkdir -p /bao/logs && \ - mkdir -p /bao/file && \ - mkdir -p /bao/config && \ - mkdir -p /bao/plugins && \ +ENV VAULT_PLUGIN_AUTOMTLS_ENABLED false +RUN mkdir -p /vault/logs && \ + mkdir -p /vault/file && \ + mkdir -p /vault/config && \ + mkdir -p /vault/plugins && \ mkdir -p /openhorizon/policy && \ - chown -R bao:root /bao && chown -R bao:root $HOME && chown -R bao:root /openhorizon && \ + chown -R bao:root /vault && chown -R bao:root $HOME && chown -R bao:root /openhorizon && \ chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \ chgrp -R 0 /bao && chmod -R g+rwX /bao && \ chgrp -R 0 /openhorizon && chmod -R g+rwX /openhorizon @@ -71,11 +71,11 @@ RUN mkdir -p /bao/logs && \ # Expose the logs directory as a volume since there's potentially long-running # state in there -VOLUME /bao/logs +VOLUME /vault/logs # Expose the file directory as a volume since there's potentially long-running # state in there -VOLUME /bao/file +VOLUME /vault/file # 8200/tcp is the primary interface that applications use to interact with # Bao. @@ -100,11 +100,11 @@ RUN chmod +x /usr/local/bin/entrypoint.sh && \ # ENTRYPOINT ["entrypoint.sh"] -COPY bin/hznbaoauth /bao/plugins/hznbaoauth -COPY config/config.hcl /bao/config/config.hcl +COPY bin/hznbaoauth /vault/plugins/hznbaoauth +COPY config/config.hcl /vault/config/config.hcl COPY policy/agbot.acl.policy.hcl /openhorizon/policy/agbot.acl.policy.hcl -RUN chmod +x /bao/plugins/hznbaoauth +RUN chmod +x /vault/plugins/hznbaoauth USER bao diff --git a/docker/scripts/entrypoint.sh b/docker/scripts/entrypoint.sh index bc35aaf..eb507c0 100755 --- a/docker/scripts/entrypoint.sh +++ b/docker/scripts/entrypoint.sh @@ -23,7 +23,7 @@ get_addr () { exit}' } -if [ -z "$BAO_DEV_LISTEN_ADDRESS" ]; then +if [ -z "$VAULT_DEV_LISTEN_ADDRESS" ]; then auto-unseal.sh & fi @@ -38,13 +38,13 @@ fi # BAO_CONFIG_DIR isn't exposed as a volume but you can compose additional # config files in there if you use this image as a base, or use -# BAO_LOCAL_CONFIG below. -BAO_CONFIG_DIR=/bao/config +# VAULT_LOCAL_CONFIG below. +VAULT_CONFIG_DIR=/vault/config -# You can also set the BAO_LOCAL_CONFIG environment variable to pass some +# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some # Bao configuration JSON without having to bind any volumes. -if [ -n "$BAO_LOCAL_CONFIG" ]; then - echo "$BAO_LOCAL_CONFIG" > "$BAO_CONFIG_DIR/local.json" +if [ -n "$VAULT_CONFIG_DIR" ]; then + echo "$VAULT_CONFIG_DIR" > "$VAULT_CONFIG_DIR/local.json" fi # If the user is trying to run Bao directly with some arguments, then @@ -57,9 +57,9 @@ fi if [ "$1" = 'server' ]; then shift set -- bao server \ - -config="$BAO_CONFIG_DIR" \ + -config="$VAULT_CONFIG_DIR" \ -dev-root-token-id="$BAO_DEV_ROOT_TOKEN_ID" \ - -dev-listen-address="${BAO_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \ + -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \ "$@" elif [ "$1" = 'version' ]; then # This needs a special case because there's no help output.