-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
33 changed files
with
2,406 additions
and
1,561 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
PORT=3001 | ||
DATABASE_HOST=localhost | ||
DATABASE_PORT=3306 | ||
DATABASE_USER=mcm | ||
DATABASE_PASSWORD=mcm | ||
DATABASE_SCHEMA=mcm | ||
VAULT_ENDPOINT=http://localhost:8233 | ||
VAULT_AUTH_METHOD=APP_ROLE | ||
VAULT_ROLE_ID_FILE=./docker/vault/tmp/role-id | ||
VAULT_ROLE_SECRET_ID_FILE=./docker/vault/tmp/secret-id | ||
VAULT_PKI_CLIENT_ROLE=example.com | ||
VAULT_PKI_SERVER_ROLE=example.com |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
## Add a comment indicating the reason for each rejected dependency upgrade added to this list, and what should be done to resolve it (i.e. handle it through a story, etc). | ||
reject: [ | ||
"chai", # Chai v.5 now only supports EcmaScript Modules (ESM) - no require('chi') | ||
"eslint", # Upgrade is breaking due to peer dependencies | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
lts/* | ||
20.15.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FROM node:16-buster | ||
FROM node:20-buster | ||
|
||
# APP | ||
WORKDIR /usr/src/app | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
version: '3' | ||
services: | ||
|
||
connection-manager-db: | ||
image: mysql/mysql-server | ||
ports: | ||
- "3306:3306" | ||
volumes: | ||
- ./docker/sql-init/:/docker-entrypoint-initdb.d/ | ||
environment: | ||
- MYSQL_USER=${DBUSER:-mcm} | ||
- MYSQL_PASSWORD=${DBPASS:-mcm} | ||
- MYSQL_DATABASE=${DBUSER:-mcm} | ||
- MYSQL_ALLOW_EMPTY_PASSWORD=true | ||
healthcheck: | ||
test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] | ||
timeout: 20s | ||
retries: 10 | ||
start_period: 40s | ||
interval: 30s | ||
|
||
vault-dev: | ||
image: vault:1.2.1 | ||
restart: always | ||
environment: | ||
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8233 | ||
VAULT_ADDR: http://127.0.0.1:8233 | ||
VAULT_DEV_ROOT_TOKEN_ID: "myroot" | ||
VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' | ||
ports: | ||
- "8233:8233" | ||
volumes: | ||
- ./docker/vault/tmp:/vault/tmp | ||
- ./docker/vault/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh | ||
cap_add: | ||
- IPC_LOCK | ||
healthcheck: | ||
test: ["CMD-SHELL", "test -f /tmp/service_started"] | ||
timeout: 1s | ||
retries: 20 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ALTER USER 'central_ledger'@'%' identified WITH mysql_native_password by 'password'; | ||
FLUSH PRIVILEGES; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
#!/usr/bin/dumb-init /bin/sh | ||
set -e | ||
|
||
# Note above that we run dumb-init as PID 1 in order to reap zombie processes | ||
# as well as forward signals to all processes in its session. Normally, sh | ||
# wouldn't do either of these functions so we'd leak zombies as well as do | ||
# unclean termination of all our sub-processes. | ||
|
||
# Prevent core dumps | ||
ulimit -c 0 | ||
|
||
# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface | ||
# name instead of an IP address. The interface name is specified using | ||
# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If | ||
# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port | ||
# number with the IP of the named interface. | ||
get_addr () { | ||
local if_name=$1 | ||
local uri_template=$2 | ||
ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \ | ||
ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \ | ||
print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \ | ||
exit}' | ||
} | ||
|
||
if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then | ||
export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"}) | ||
echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR" | ||
fi | ||
if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then | ||
export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"}) | ||
echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR" | ||
fi | ||
|
||
rm -f /tmp/service_started | ||
|
||
# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional | ||
# config files in there if you use this image as a base, or use | ||
# VAULT_LOCAL_CONFIG below. | ||
VAULT_CONFIG_DIR=/vault/config | ||
|
||
# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some | ||
# Vault configuration JSON without having to bind any volumes. | ||
if [ -n "$VAULT_LOCAL_CONFIG" ]; then | ||
echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json" | ||
fi | ||
|
||
# If the user is trying to run Vault directly with some arguments, then | ||
# pass them to Vault. | ||
if [ "${1:0:1}" = '-' ]; then | ||
set -- vault "$@" | ||
fi | ||
|
||
# Look for Vault subcommands. | ||
if [ "$1" = 'server' ]; then | ||
shift | ||
set -- vault server \ | ||
-config="$VAULT_CONFIG_DIR" \ | ||
-dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \ | ||
-dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \ | ||
"$@" | ||
elif [ "$1" = 'version' ]; then | ||
# This needs a special case because there's no help output. | ||
set -- vault "$@" | ||
elif vault --help "$1" 2>&1 | grep -q "vault $1"; then | ||
# We can't use the return code to check for the existence of a subcommand, so | ||
# we have to use grep to look for a pattern in the help output. | ||
set -- vault "$@" | ||
fi | ||
|
||
# If we are running Vault, make sure it executes as the proper user. | ||
if [ "$1" = 'vault' ]; then | ||
if [ -z "$SKIP_CHOWN" ]; then | ||
# If the config dir is bind mounted then chown it | ||
if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then | ||
chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)" | ||
fi | ||
|
||
# If the logs dir is bind mounted then chown it | ||
if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then | ||
chown -R vault:vault /vault/logs | ||
fi | ||
|
||
# If the file dir is bind mounted then chown it | ||
if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then | ||
chown -R vault:vault /vault/file | ||
fi | ||
fi | ||
|
||
if [ -z "$SKIP_SETCAP" ]; then | ||
# Allow mlock to avoid swapping Vault memory to disk | ||
setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) | ||
|
||
# In the case vault has been started in a container without IPC_LOCK privileges | ||
if ! vault -version 1>/dev/null 2>/dev/null; then | ||
>&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK" | ||
setcap cap_ipc_lock=-ep $(readlink -f $(which vault)) | ||
fi | ||
fi | ||
|
||
if [ "$(id -u)" = '0' ]; then | ||
set -- su-exec vault "$@" | ||
fi | ||
fi | ||
|
||
"$@" & | ||
|
||
|
||
sleep 3 | ||
|
||
export VAULT_TOKEN=$VAULT_DEV_ROOT_TOKEN_ID | ||
|
||
vault auth enable approle | ||
vault write auth/approle/role/my-role secret_id_ttl=1000m token_ttl=1000m token_max_ttl=1000m | ||
vault read -field role_id auth/approle/role/my-role/role-id > /vault/tmp/role-id | ||
vault write -field secret_id -f auth/approle/role/my-role/secret-id > /vault/tmp/secret-id | ||
# ROLE_ID=$(vault read -field role_id auth/approle/role/my-role/role-id) | ||
# SECRET_ID=$(vault write -field secret_id -f auth/approle/role/my-role/secret-id) | ||
vault secrets enable -path=pki pki | ||
vault secrets enable -path=secrets kv | ||
vault secrets tune -max-lease-ttl=97600h pki | ||
# vault write -field=certificate pki/root/generate/internal \ | ||
# common_name="example.com" \ | ||
# ttl=97600h | ||
vault write pki/config/urls \ | ||
issuing_certificates="http://127.0.0.1:8233/v1/pki/ca" \ | ||
crl_distribution_points="http://127.0.0.1:8233/v1/pki/crl" | ||
vault write pki/roles/example.com allowed_domains=example.com allow_subdomains=true allow_any_name=true allow_localhost=true enforce_hostnames=false max_ttl=720h | ||
|
||
tee policy.hcl <<EOF | ||
# List, create, update, and delete key/value secrets | ||
path "secrets/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} | ||
path "kv/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} | ||
path "pki/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} | ||
path "pki_int/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
} | ||
EOF | ||
|
||
vault policy write test-policy policy.hcl | ||
|
||
vault write auth/approle/role/my-role policies=test-policy ttl=1h | ||
|
||
vault secrets enable -path=pki_int pki | ||
vault secrets tune -max-lease-ttl=43800h pki_int | ||
vault write pki_int/roles/example.com allowed_domains=example.com allow_subdomains=true allow_any_name=true allow_localhost=true enforce_hostnames=false max_ttl=600h | ||
|
||
touch /tmp/service_started | ||
|
||
tail -f /dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
aeb6cc95-b245-894d-6158-7e113e1a8fa6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
07c70477-700f-cc29-c426-af17f0aa4c24 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
module.exports = [ | ||
{ | ||
rules: { | ||
"comma-dangle": [ | ||
"error", | ||
{ | ||
arrays: "never", | ||
objects: "ignore", | ||
imports: "never", | ||
exports: "never", | ||
functions: "never" | ||
} | ||
], | ||
"no-extra-semi": "off", | ||
semi: ["error", "always"] | ||
} | ||
} | ||
]; |
Oops, something went wrong.