Product Docs
Open Source
Education
Vault Server Image.
The image is available on cgr.dev:
cgr.dev
docker pull cgr.dev/chainguard/vault:latest
The Chainguard Vault image contains the Vault server binary and supporting config. The image is intended to be a drop-in replacement for the upstream hashicorp/vault or vault images and compatible with the Hashicorp Helm chart.
The default entrypoint starts a single-node instance of the server in development mode for testing and development. Note that the container should be given the IPC_LOCK capability.
IPC_LOCK
You can start the container with:
$ docker run --cap-add IPC_LOCK cgr.dev/chainguard/vault ==> Vault server configuration: Api Address: http://0.0.0.0:8200 Cgo: disabled Cluster Address: https://0.0.0.0:8201 Environment Variables: GODEBUG, HOME, HOSTNAME, PATH, PWD, SHLVL, SSL_CERT_FILE Go Version: go1.20.4 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: true, enabled: false Recovery Mode: false Storage: inmem Version: Vault v1.13.2 ==> Vault server started! Log data will stream in below: ...
To configure Vault for production or other environments, supply a configuration file in the /etc/vault directory e.g:
/etc/vault
$ docker run -v $PWD/vault.hcl:/etc/vault/vault.hcl cgr.dev/chainguard/vault server
You can also supply config via the VAULT_LOCAL_CONFIG variable e.g:
VAULT_LOCAL_CONFIG
$ docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/var/lib/vault"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 cgr.dev/chainguard/vault server
This image and the vault-k8s image can be used with the Hashicorp Helm chart. To replace the official images with the Chainguard images, provide the chart with the following values:
injector: image: repository: "cgr.dev/chainguard/vault-k8s" tag: "latest" agentImage: repository: "cgr.dev/chainguard/vault" tag: "latest" server: image: repository: "cgr.dev/chainguard/vault" tag: "latest"
Assuming these values are saved in cgr_values.yaml, you should be able to run:
cgr_values.yaml
$ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm install vault hashicorp/vault --values cgr_values.yaml
If you run the container without IPC_LOCK capabilitiy, you will get the following warning:
Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK ==> Vault server configuration: ...
IPC_LOCK is required for the memory lock (mlock) feature that prevents memory – possibly containing sensitive information – being written to disk. For a full explanation of how it works, refer to the documentation.
The error can be easily fixed by running:
$ docker run --cap-add IPC_LOCK cgr.dev/chainguard/vault
Or by using the following securityContext in Kubernetes:
securityContext
securityContext: runAsNonRoot: true runAsUser: 65532 capabilities: add: ["IPC_LOCK"]
The image starts as root and switches to the lower privileged vault user in the entrypoint script.
vault
This image is not identical to the hashicorp/vault image. In particular:
/var/lib/vault
/var/log/vault
/usr/bin
This image supports the same environment variables as the hashicorp/vault image.
If using the file data storage plugin, please configure it to write to /var/lib/vault.
By default logs will be streamed to stdout and stderr, but can be configured to write to /var/log/vault.