v1.14.6/Dockerfile - hashicorp/vault - Git at Google

 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0

 ## DOCKERHUB DOCKERFILE ##
 FROM alpine:3.18 as default

 ARG BIN_NAME
 # NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
 # and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
 ARG NAME=vault
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION
 # TARGETARCH and TARGETOS are set automatically when --platform is provided.
 ARG TARGETOS TARGETARCH

 # Additional metadata labels used by container registries, platforms
 # and certification scanners.
 LABEL name="Vault" \
       maintainer="Vault Team <vault@hashicorp.com>" \
       vendor="HashiCorp" \
       version=${PRODUCT_VERSION} \
       release=${PRODUCT_REVISION} \
       revision=${PRODUCT_REVISION} \
       summary="Vault is a tool for securely accessing secrets." \
       description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."

 COPY LICENSE /licenses/mozilla.txt

 # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
 ENV NAME=$NAME
 ENV VERSION=$VERSION

 # Create a non-root user to run the software.
 RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}

 RUN apk add --no-cache libcap su-exec dumb-init tzdata

 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/

 # /vault/logs is made available to use as a location to store audit logs, if
 # desired; /vault/file is made available to use as a location with the file
 # storage backend, if desired; the server will be started with /vault/config as
 # the configuration directory so you can add additional config files in that
 # location.
 RUN mkdir -p /vault/logs && \
     mkdir -p /vault/file && \
     mkdir -p /vault/config && \
     chown -R ${NAME}:${NAME} /vault

 # Expose the logs directory as a volume since there's potentially long-running
 # state in there
 VOLUME /vault/logs

 # Expose the file directory as a volume since there's potentially long-running
 # state in there
 VOLUME /vault/file

 # 8200/tcp is the primary interface that applications use to interact with
 # Vault.
 EXPOSE 8200

 # The entry point script uses dumb-init as the top-level process to reap any
 # zombie processes created by Vault sub-processes.
 #
 # For production derivatives of this container, you shoud add the IPC_LOCK
 # capability so that Vault can mlock memory.
 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]


 # # By default you'll get a single-node development server that stores everything
 # # in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev"]


 ## UBI DOCKERFILE ##
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as ubi

 ARG BIN_NAME
 # PRODUCT_VERSION is the version built dist/$TARGETOS/$TARGETARCH/$BIN_NAME,
 # which we COPY in later. Example: PRODUCT_VERSION=1.2.3.
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION
 # TARGETARCH and TARGETOS are set automatically when --platform is provided.
 ARG TARGETOS TARGETARCH

 # Additional metadata labels used by container registries, platforms
 # and certification scanners.
 LABEL name="Vault" \
       maintainer="Vault Team <vault@hashicorp.com>" \
       vendor="HashiCorp" \
       version=${PRODUCT_VERSION} \
       release=${PRODUCT_REVISION} \
       revision=${PRODUCT_REVISION} \
       summary="Vault is a tool for securely accessing secrets." \
       description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."

 COPY LICENSE /licenses/mozilla.txt

 # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
 ENV NAME=$NAME
 ENV VERSION=$VERSION

 # Set up certificates, our base tools, and Vault. Unlike the other version of
 # this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
 # we copy in the Vault binary from CRT.
 RUN set -eux; \
     microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux

 # Create a non-root user to run the software.
 RUN groupadd --gid 1000 vault && \
     adduser --uid 100 --system -g vault vault && \
     usermod -a -G root vault

 # Copy in the new Vault from CRT pipeline, rather than fetching it from our
 # public releases.
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/

 # /vault/logs is made available to use as a location to store audit logs, if
 # desired; /vault/file is made available to use as a location with the file
 # storage backend, if desired; the server will be started with /vault/config as
 # the configuration directory so you can add additional config files in that
 # location.
 ENV HOME /home/vault
 RUN mkdir -p /vault/logs && \
     mkdir -p /vault/file && \
     mkdir -p /vault/config && \
     mkdir -p $HOME && \
     chown -R vault /vault && chown -R vault $HOME && \
     chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
     chgrp -R 0 /vault && chmod -R g+rwX /vault

 # Expose the logs directory as a volume since there's potentially long-running
 # state in there
 VOLUME /vault/logs

 # Expose the file directory as a volume since there's potentially long-running
 # state in there
 VOLUME /vault/file

 # 8200/tcp is the primary interface that applications use to interact with
 # Vault.
 EXPOSE 8200

 # The entry point script uses dumb-init as the top-level process to reap any
 # zombie processes created by Vault sub-processes.
 #
 # For production derivatives of this container, you shoud add the IPC_LOCK
 # capability so that Vault can mlock memory.
 COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]

 # Use the Vault user as the default user for starting this container.
 USER vault

 # # By default you'll get a single-node development server that stores everything
 # # in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev"]
	# Copyright (c) HashiCorp, Inc.
	# SPDX-License-Identifier: MPL-2.0

	## DOCKERHUB DOCKERFILE ##
	FROM alpine:3.18 as default

	ARG BIN_NAME
	# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
	# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
	ARG NAME=vault
	ARG PRODUCT_VERSION
	ARG PRODUCT_REVISION
	# TARGETARCH and TARGETOS are set automatically when --platform is provided.
	ARG TARGETOS TARGETARCH

	# Additional metadata labels used by container registries, platforms
	# and certification scanners.
	LABEL name="Vault" \
	maintainer="Vault Team <vault@hashicorp.com>" \
	vendor="HashiCorp" \
	version=${PRODUCT_VERSION} \
	release=${PRODUCT_REVISION} \
	revision=${PRODUCT_REVISION} \
	summary="Vault is a tool for securely accessing secrets." \
	description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."

	COPY LICENSE /licenses/mozilla.txt

	# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
	ENV NAME=$NAME
	ENV VERSION=$VERSION

	# Create a non-root user to run the software.
	RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}

	RUN apk add --no-cache libcap su-exec dumb-init tzdata

	COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/

	# /vault/logs is made available to use as a location to store audit logs, if
	# desired; /vault/file is made available to use as a location with the file
	# storage backend, if desired; the server will be started with /vault/config as
	# the configuration directory so you can add additional config files in that
	# location.
	RUN mkdir -p /vault/logs && \
	mkdir -p /vault/file && \
	mkdir -p /vault/config && \
	chown -R ${NAME}:${NAME} /vault

	# Expose the logs directory as a volume since there's potentially long-running
	# state in there
	VOLUME /vault/logs

	# Expose the file directory as a volume since there's potentially long-running
	# state in there
	VOLUME /vault/file

	# 8200/tcp is the primary interface that applications use to interact with
	# Vault.
	EXPOSE 8200

	# The entry point script uses dumb-init as the top-level process to reap any
	# zombie processes created by Vault sub-processes.
	#
	# For production derivatives of this container, you shoud add the IPC_LOCK
	# capability so that Vault can mlock memory.
	COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
	ENTRYPOINT ["docker-entrypoint.sh"]


	# # By default you'll get a single-node development server that stores everything
	# # in RAM and bootstraps itself. Don't use this configuration for production.
	CMD ["server", "-dev"]


	## UBI DOCKERFILE ##
	FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as ubi

	ARG BIN_NAME
	# PRODUCT_VERSION is the version built dist/$TARGETOS/$TARGETARCH/$BIN_NAME,
	# which we COPY in later. Example: PRODUCT_VERSION=1.2.3.
	ARG PRODUCT_VERSION
	ARG PRODUCT_REVISION
	# TARGETARCH and TARGETOS are set automatically when --platform is provided.
	ARG TARGETOS TARGETARCH

	# Additional metadata labels used by container registries, platforms
	# and certification scanners.
	LABEL name="Vault" \
	maintainer="Vault Team <vault@hashicorp.com>" \
	vendor="HashiCorp" \
	version=${PRODUCT_VERSION} \
	release=${PRODUCT_REVISION} \
	revision=${PRODUCT_REVISION} \
	summary="Vault is a tool for securely accessing secrets." \
	description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."

	COPY LICENSE /licenses/mozilla.txt

	# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
	ENV NAME=$NAME
	ENV VERSION=$VERSION

	# Set up certificates, our base tools, and Vault. Unlike the other version of
	# this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
	# we copy in the Vault binary from CRT.
	RUN set -eux; \
	microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux

	# Create a non-root user to run the software.
	RUN groupadd --gid 1000 vault && \
	adduser --uid 100 --system -g vault vault && \
	usermod -a -G root vault

	# Copy in the new Vault from CRT pipeline, rather than fetching it from our
	# public releases.
	COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/

	# /vault/logs is made available to use as a location to store audit logs, if
	# desired; /vault/file is made available to use as a location with the file
	# storage backend, if desired; the server will be started with /vault/config as
	# the configuration directory so you can add additional config files in that
	# location.
	ENV HOME /home/vault
	RUN mkdir -p /vault/logs && \
	mkdir -p /vault/file && \
	mkdir -p /vault/config && \
	mkdir -p $HOME && \
	chown -R vault /vault && chown -R vault $HOME && \
	chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
	chgrp -R 0 /vault && chmod -R g+rwX /vault

	# Expose the logs directory as a volume since there's potentially long-running
	# state in there
	VOLUME /vault/logs

	# Expose the file directory as a volume since there's potentially long-running
	# state in there
	VOLUME /vault/file

	# 8200/tcp is the primary interface that applications use to interact with
	# Vault.
	EXPOSE 8200

	# The entry point script uses dumb-init as the top-level process to reap any
	# zombie processes created by Vault sub-processes.
	#
	# For production derivatives of this container, you shoud add the IPC_LOCK
	# capability so that Vault can mlock memory.
	COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
	ENTRYPOINT ["docker-entrypoint.sh"]

	# Use the Vault user as the default user for starting this container.
	USER vault

	# # By default you'll get a single-node development server that stores everything
	# # in RAM and bootstraps itself. Don't use this configuration for production.
	CMD ["server", "-dev"]