Docker images (#6)

* improve dockerc-compose and init scripts

* build docker image

* include dev init script

* fix copy plugin

* moved publishing image to main

* applying review comments

.circleci/config.yml

@@ -31,6 +31,34 @@ commands:
           key: go-mod-v4-{{ checksum "go.sum" }}
           paths:
             - "/go/pkg/mod"
+  prepare_docker:
+    description: "Docker login"
+    steps:
+      - run:
+          name: Docker login
+          command: |
+            echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin $DOCKER_REGISTRY
+            echo $DOCKER_PASS_2 | docker login -u $DOCKER_USER_2 --password-stdin $DOCKER_REGISTRY_2
+
+  docker_build_image:
+    description: "Build Quorum Hashicorp Vault Plugin docker image"
+    steps:
+      - run:
+          name: Build Quorum Hashicorp Vault Plugin
+          command: >-
+            DOCKER_BUILDKIT=1 docker build
+            --label org.opencontainers.image.created=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
+            --label org.opencontainers.image.url="https://consensys.net"
+            --label org.opencontainers.image.documentation="https://docs.quorum-key-manager.consensys.net/"
+            --label org.opencontainers.image.source="${CIRCLE_REPOSITORY_URL}"
+            --label org.opencontainers.image.version="${CIRCLE_TAG}"
+            --label org.opencontainers.image.revision="${CIRCLE_SHA1:0:7}"
+            --label org.opencontainers.image.vendor="ConsenSys Software Inc."
+            --label org.opencontainers.image.licenses="BUSL-1.1"
+            --label org.opencontainers.image.title="${CIRCLE_PROJECT_REPONAME}"
+            --label org.opencontainers.image.description="This Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine."
+            -q
+            -t quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} .
 
 jobs:
   styleCheck:
@@ -78,6 +106,46 @@ jobs:
             VERSION="${CIRCLE_TAG}"
             ghr -t ${GITHUB_TOKEN} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -c ${CIRCLE_SHA1} -delete ${VERSION} ./artifacts/
 
+  push-dev-image:
+    docker:
+      - image: cimg/base:2020.01
+    resource_class: large
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: 19.03.13
+          docker_layer_caching: true
+      - prepare_docker
+      - docker_build_image
+      - run:
+          name: Deploy image in repository
+          command: |
+            docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7}
+            docker push ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7}
+            
+            docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:develop
+            docker push ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:develop
+
+  push-prod-image:
+    docker:
+      - image: cimg/base:2020.01
+    resource_class: large
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: 19.03.13
+          docker_layer_caching: true
+      - prepare_docker
+      - docker_build_image
+      - run:
+          name: Deploy image in repository
+          command: |
+            docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:${CIRCLE_TAG}
+            docker push ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:${CIRCLE_TAG}
+
+            docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:latest
+            docker push ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:latest
+            
 workflows:
   version: 2
   default:
@@ -100,6 +168,14 @@ workflows:
               only: /^v.*/
             branches:
               only: /.*/
+      - push-dev-image:
+          filters:
+            branches:
+              only: main
+          requires:
+            - styleCheck
+            - test
+            - build
       - publish-github-release:
           requires:
             - build
@@ -108,4 +184,11 @@ workflows:
               only: /^v.*/
             branches:
               ignore: /.*/
-
+      - push-prod-image:
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              ignore: /.*/
+          requires:
+            - publish-github-release

.dockerignore

@@ -0,0 +1,16 @@
+# Source code
+.git
+.gitignore
+.dockerignore
+Dockerfile*
+docker-compose*
+.gitlab-ci.yml
+
+build/
+vendor/
+
+AUTHORS
+CONTRIBUTING.md
+Makefile
+README.md
+

Dockerfile

@@ -0,0 +1,40 @@
+############################
+# STEP 1 build executable plugin binary
+############################
+FROM golang:1.16-buster AS builder
+
+RUN apt-get update && \
+	apt-get install --no-install-recommends -y \
+	ca-certificates upx-ucl
+
+WORKDIR /plugin
+
+ENV GO111MODULE=on
+COPY go.mod go.sum ./
+COPY LICENSE ./
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -a -v -o quorum-hashicorp-vault-plugin
+RUN upx quorum-hashicorp-vault-plugin
+RUN sha256sum -b quorum-hashicorp-vault-plugin | cut -d' ' -f1 > SHA256SUM
+
+############################
+# STEP 2 build new vault image
+############################
+FROM library/vault:1.8.4
+
+RUN apk add --no-cache \
+    jq \
+    curl
+
+# Expose the plugin directory as a volume
+VOLUME /vault/plugins
+
+COPY --from=builder /plugin/LICENSE /
+COPY --from=builder /plugin/quorum-hashicorp-vault-plugin /vault/plugins/quorum-hashicorp-vault-plugin
+COPY --from=builder /plugin/scripts/vault-init.sh /usr/local/bin/vault-init.sh
+COPY --from=builder /plugin/scripts/vault-init-dev.sh /usr/local/bin/vault-init-dev.sh
+
+EXPOSE 8200

LICENSE

@@ -0,0 +1,95 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             ConsenSys Software Inc.
+Licensed Work:        ConsenSys Codefi Orchestrate v21.7
+                      The Licensed Work is (c) 2021 ConsenSys Software Inc.
+Additional Use Grant: You may use the Licensed Work for production use without further license solely if you are any charitable organization, educational institution, public research organization, public safety or health organization, or an environmental protection organization.
+
+Change Date:          2024-07-01
+
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Software,
+please visit: https://consensys.net/
+
+Notice
+
+The Business Source License (this document, or the “License”) is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+“Business Source License” is a trademark of MariaDB Corporation Ab.
+
+-----------------------------------------------------------------------------
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License’s text to license
+your works, and to refer to it using the trademark “Business Source License”,
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License’s text and the “Business
+Source License” name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where “compatible” means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text “None”.
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

Makefile

@@ -23,11 +23,13 @@ lint-ci: ## Check linting
 	@golangci-lint run
 
 prod: gobuild
-	@docker-compose -f docker-compose.yml up --build vault-init vault
+	@docker-compose -f docker-compose.yml up --build vault
 
 dev: gobuild
-	@docker-compose -f docker-compose.yml up --build vault-dev-init vault-dev
+	@docker-compose -f docker-compose.dev.yml up --build vault
 
 down:
-	@docker-compose -f docker-compose.yml down --volumes --timeout 0
+	@docker-compose -f docker-compose.dev.yml down --volumes --timeout 0
 
+docker-build:
+	@DOCKER_BUILDKIT=1 docker build -t quorum-hashicorp-vault-plugin .

README.md

@@ -23,39 +23,54 @@ The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations
 - Makefile
 - docker-compose
 
-### Development mode
+### Running local version
 
-To run our plugin in development mode you have to first build the plugin using:
+Build plugin binary
+```bash
+$> make gobuild
 ```
+
+To run our plugin in development mode you have to first build the plugin using:
+```bash
 $> make dev
 ```
 
-### Test using Curl
+### Testing
+
 Now you have your Vault running on port `:8200`. Open  a new terminal to run the following command to
 enable Orchestrate plugin:
-```
+```bash
 $> curl --header "X-Vault-Token: DevVaultToken" --request POST \
   --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \
   ${VAULT_ADDR}/v1/sys/mounts/quorum
 ```
 
 Now you already have your Vault running with Orchestrate plugin enable. The best way to understand the new
  integrate APIs is to use the `help` feature. To list a description of all the available endpoints you can run:
-```
+```bash
 $> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum?help=1
 ```
 
 alternatively you can list only `ethereum` endpoints by using:
-```
+```bash
 $> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum/ethereum/accounts?help=1
 ```
 
-## Production mode
+## Running using latest version
 
-Running Quorum Hashicorp Vault Plugin plugin in production:
-```
-$> make prod
+Running Quorum Hashicorp Vault Plugin plugin:
+```bash
+$> docker-compose -f docker-compose.yml up --build vault
 ```
 
 ## Contributing
 [How to Contribute](CONTRIBUTING.md)
+
+## License
+
+Quorum Hashicorp Vault plugin is licensed under the BSL 1.1.
+
+Please refer to the [LICENSE file](LICENSE) for a detailed description of the license.
+
+Please contact [orchestrate@consensys.net](mailto:orchestrate@consensys.net) if you need to purchase a license for a production use-case.  
+

docker-compose.dev.yml

@@ -0,0 +1,39 @@
+version: "3.7"
+
+x-container-common: &container-common
+  networks:
+    - vault
+
+services:
+  vault:
+    <<: *container-common
+    image: library/vault:1.8.4
+    restart: ${CONTAINER_RESTART-on-failure}
+    tty: true
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - ./build/bin/quorum-hashicorp-vault-plugin:/vault/plugins/quorum-hashicorp-vault-plugin
+      - ./scripts/vault-init-dev.sh:/usr/local/bin/vault-init.sh
+    environment:
+      VAULT_ADDR: http://vault:8200
+      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN-DevVaultToken}
+    entrypoint:
+      - sh
+      - -c
+      - |
+        apk add --no-cache curl
+        ( sleep 2 ; vault-init.sh ) &
+        vault server -dev -dev-plugin-dir=/vault/plugins/ -dev-listen-address="0.0.0.0:8200" -log-level=trace
+    ports:
+      - 8200:8200
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "--proxy", "off", "http://localhost:8200/v1/sys/health?standbyok=true" ]
+      interval: 10s
+      timeout: 3s
+      retries: 10
+      start_period: 5s
+
+networks:
+  vault:
+    driver: bridge