init

TelkomIndonesia · Feb 28, 2024 · a642656 · a642656
commit a642656
Show file tree

Hide file tree

Showing 8 changed files with 128 additions and 0 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -0,0 +1,57 @@
+name: docker
+
+on:
+  push:
+    tags:
+      - "v*"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - id: docker_meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - id: docker_build
+        name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Sign image with a key
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAME,,}@${IMAGE_DIGEST} --yes
+        env:
+          IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          IMAGE_DIGEST: ${{ steps.docker_build.outputs.digest }}
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,7 @@
+FROM timberio/vector:0.36.0-debian
+
+ENV VAULT_ADDR= 
+ENV VAULT_UNSEAL_KEY= 
+ENV VAULT_SEAL_STATUS_CHECK_INTERVAL=
+
+COPY ./vector.yaml /etc/vector/vector.yaml
diff --git a/README.md b/README.md
@@ -0,0 +1,12 @@
+# Vector Vault Unseal
+
+A simple service to regularly check vault seal status and unseal using supplied key.
+
+## Run
+
+```bash
+docker run \
+    -e VAULT_ADDR=https://vault.example.com \
+    -e VAULT_UNSEAL_KEY=one-of-the-shamir-key \
+    ghcr.io/telkomindonesia/vector-vault-unseal
+```
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Q2d/GwkTU2+FnsyxzhqNL+YYxyf
+BwIYL8/chvVsgJFnd32TNrw0hlG5LYLgBLfA/3YBTAJJK2JZubu+YlBy7Q==
+-----END PUBLIC KEY-----
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -0,0 +1,4 @@
+services:
+  vector: 
+    volumes:
+      - ./vector.yaml:/etc/vector/vector.yaml:ro
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,8 @@
+services:
+  vector: 
+    build: .
+    restart: unless-stopped
+    environment:
+      VAULT_ADDR:
+      VAULT_UNSEAL_KEY:
+      VAULT_SEAL_STATUS_CHECK_INTERVAL:
diff --git a/vector.yaml b/vector.yaml
@@ -0,0 +1,35 @@
+sources:
+  vault_seal_status:
+    type: http_client
+    endpoint: ${VAULT_ADDR}/v1/sys/seal-status
+    scrape_interval_secs: ${VAULT_SEAL_STATUS_CHECK_INTERVAL:-5}
+    decoding:
+      codec: json
+
+transforms:
+  vault_seal_status_route:
+    type: route
+    inputs:
+      - vault_seal_status
+    route:
+      sealed: ".sealed == true"
+
+  vault_unseal_payload:
+    type: remap
+    inputs:
+      - vault_seal_status_route.sealed
+    source: |
+      . = { "key" : "${VAULT_UNSEAL_KEY}" }
+
+sinks:
+  vault_unseal:
+    type: http
+    inputs:
+      - vault_unseal_payload
+    uri: ${VAULT_ADDR}/v1/sys/unseal
+    batch:
+      max_events: 1
+    encoding:
+      codec: json
+    framing:
+      method: bytes