diff --git a/.circleci/config.yml b/.circleci/config.yml index c35ef3b..df4a966 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -31,6 +31,34 @@ commands: key: go-mod-v4-{{ checksum "go.sum" }} paths: - "/go/pkg/mod" + prepare_docker: + description: "Docker login" + steps: + - run: + name: Docker login + command: | + echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin $DOCKER_REGISTRY + echo $DOCKER_PASS_2 | docker login -u $DOCKER_USER_2 --password-stdin $DOCKER_REGISTRY_2 + + docker_build_image: + description: "Build Quorum Hashicorp Vault Plugin docker image" + steps: + - run: + name: Build Quorum Hashicorp Vault Plugin + command: >- + DOCKER_BUILDKIT=1 docker build + --label org.opencontainers.image.created=`date -u +"%Y-%m-%dT%H:%M:%SZ"` + --label org.opencontainers.image.url="https://consensys.net" + --label org.opencontainers.image.documentation="https://docs.quorum-key-manager.consensys.net/" + --label org.opencontainers.image.source="${CIRCLE_REPOSITORY_URL}" + --label org.opencontainers.image.version="${CIRCLE_TAG}" + --label org.opencontainers.image.revision="${CIRCLE_SHA1:0:7}" + --label org.opencontainers.image.vendor="ConsenSys Software Inc." + --label org.opencontainers.image.licenses="BUSL-1.1" + --label org.opencontainers.image.title="${CIRCLE_PROJECT_REPONAME}" + --label org.opencontainers.image.description="This Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine." + -q + -t quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} . jobs: styleCheck: @@ -78,6 +106,46 @@ jobs: VERSION="${CIRCLE_TAG}" ghr -t ${GITHUB_TOKEN} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -c ${CIRCLE_SHA1} -delete ${VERSION} ./artifacts/ + push-dev-image: + docker: + - image: cimg/base:2020.01 + resource_class: large + steps: + - checkout + - setup_remote_docker: + version: 19.03.13 + docker_layer_caching: true + - prepare_docker + - docker_build_image + - run: + name: Deploy image in repository + command: | + docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} + docker push ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} + + docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:develop + docker push ${DOCKER_REGISTRY_DEV_REPO}/quorum-hashicorp-vault-plugin:develop + + push-prod-image: + docker: + - image: cimg/base:2020.01 + resource_class: large + steps: + - checkout + - setup_remote_docker: + version: 19.03.13 + docker_layer_caching: true + - prepare_docker + - docker_build_image + - run: + name: Deploy image in repository + command: | + docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:${CIRCLE_TAG} + docker push ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:${CIRCLE_TAG} + + docker tag quorum-hashicorp-vault-plugin:${CIRCLE_SHA1:0:7} ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:latest + docker push ${DOCKER_REGISTRY_REPO_2}/quorum-hashicorp-vault-plugin:latest + workflows: version: 2 default: @@ -100,6 +168,14 @@ workflows: only: /^v.*/ branches: only: /.*/ + - push-dev-image: + filters: + branches: + only: main + requires: + - styleCheck + - test + - build - publish-github-release: requires: - build @@ -108,4 +184,11 @@ workflows: only: /^v.*/ branches: ignore: /.*/ - + - push-prod-image: + filters: + tags: + only: /^v.*/ + branches: + ignore: /.*/ + requires: + - publish-github-release diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..fab59f3 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,16 @@ +# Source code +.git +.gitignore +.dockerignore +Dockerfile* +docker-compose* +.gitlab-ci.yml + +build/ +vendor/ + +AUTHORS +CONTRIBUTING.md +Makefile +README.md + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d3eccef --- /dev/null +++ b/Dockerfile @@ -0,0 +1,40 @@ +############################ +# STEP 1 build executable plugin binary +############################ +FROM golang:1.16-buster AS builder + +RUN apt-get update && \ + apt-get install --no-install-recommends -y \ + ca-certificates upx-ucl + +WORKDIR /plugin + +ENV GO111MODULE=on +COPY go.mod go.sum ./ +COPY LICENSE ./ +RUN go mod download + +COPY . . + +RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -a -v -o quorum-hashicorp-vault-plugin +RUN upx quorum-hashicorp-vault-plugin +RUN sha256sum -b quorum-hashicorp-vault-plugin | cut -d' ' -f1 > SHA256SUM + +############################ +# STEP 2 build new vault image +############################ +FROM library/vault:1.8.4 + +RUN apk add --no-cache \ + jq \ + curl + +# Expose the plugin directory as a volume +VOLUME /vault/plugins + +COPY --from=builder /plugin/LICENSE / +COPY --from=builder /plugin/quorum-hashicorp-vault-plugin /vault/plugins/quorum-hashicorp-vault-plugin +COPY --from=builder /plugin/scripts/vault-init.sh /usr/local/bin/vault-init.sh +COPY --from=builder /plugin/scripts/vault-init-dev.sh /usr/local/bin/vault-init-dev.sh + +EXPOSE 8200 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..689405f --- /dev/null +++ b/LICENSE @@ -0,0 +1,95 @@ +Business Source License 1.1 + +Parameters + +Licensor: ConsenSys Software Inc. +Licensed Work: ConsenSys Codefi Orchestrate v21.7 + The Licensed Work is (c) 2021 ConsenSys Software Inc. +Additional Use Grant: You may use the Licensed Work for production use without further license solely if you are any charitable organization, educational institution, public research organization, public safety or health organization, or an environmental protection organization. + +Change Date: 2024-07-01 + +Change License: Apache License, Version 2.0 + +For information about alternative licensing arrangements for the Software, +please visit: https://consensys.net/ + +Notice + +The Business Source License (this document, or the “License”) is not an Open +Source license. However, the Licensed Work will eventually be made available +under an Open Source License, as stated in this License. + +License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. +“Business Source License” is a trademark of MariaDB Corporation Ab. + +----------------------------------------------------------------------------- + +Business Source License 1.1 + +Terms + +The Licensor hereby grants you the right to copy, modify, create derivative +works, redistribute, and make non-production use of the Licensed Work. The +Licensor may make an Additional Use Grant, above, permitting limited +production use. + +Effective on the Change Date, or the fourth anniversary of the first publicly +available distribution of a specific version of the Licensed Work under this +License, whichever comes first, the Licensor hereby grants you rights under +the terms of the Change License, and the rights granted in the paragraph +above terminate. + +If your use of the Licensed Work does not comply with the requirements +currently in effect as described in this License, you must purchase a +commercial license from the Licensor, its affiliated entities, or authorized +resellers, or you must refrain from using the Licensed Work. + +All copies of the original and modified Licensed Work, and derivative works +of the Licensed Work, are subject to this License. This License applies +separately for each version of the Licensed Work and the Change Date may vary +for each version of the Licensed Work released by Licensor. + +You must conspicuously display this License on each original or modified copy +of the Licensed Work. If you receive the Licensed Work in original or +modified form from a third party, the terms and conditions set forth in this +License apply to your use of that work. + +Any use of the Licensed Work in violation of this License will automatically +terminate your rights under this License for the current and all other +versions of the Licensed Work. + +This License does not grant you any right in any trademark or logo of +Licensor or its affiliates (provided that you may use a trademark or logo of +Licensor as expressly required by this License). + +TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON +AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, +EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND +TITLE. + +MariaDB hereby grants you permission to use this License’s text to license +your works, and to refer to it using the trademark “Business Source License”, +as long as you comply with the Covenants of Licensor below. + +Covenants of Licensor + +In consideration of the right to use this License’s text and the “Business +Source License” name and trademark, Licensor covenants to MariaDB, and to all +other recipients of the licensed work to be provided by Licensor: + +1. To specify as the Change License the GPL Version 2.0 or any later version, + or a license that is compatible with GPL Version 2.0 or a later version, + where “compatible” means that software provided under the Change License can + be included in a program with software provided under GPL Version 2.0 or a + later version. Licensor may specify additional Change Licenses without + limitation. + +2. To either: (a) specify an additional grant of rights to use that does not + impose any additional restriction on the right granted in this License, as + the Additional Use Grant; or (b) insert the text “None”. + +3. To specify a Change Date. + +4. Not to modify this License in any other way. diff --git a/Makefile b/Makefile index 0a0374f..cee1fb7 100644 --- a/Makefile +++ b/Makefile @@ -23,11 +23,13 @@ lint-ci: ## Check linting @golangci-lint run prod: gobuild - @docker-compose -f docker-compose.yml up --build vault-init vault + @docker-compose -f docker-compose.yml up --build vault dev: gobuild - @docker-compose -f docker-compose.yml up --build vault-dev-init vault-dev + @docker-compose -f docker-compose.dev.yml up --build vault down: - @docker-compose -f docker-compose.yml down --volumes --timeout 0 + @docker-compose -f docker-compose.dev.yml down --volumes --timeout 0 +docker-build: + @DOCKER_BUILDKIT=1 docker build -t quorum-hashicorp-vault-plugin . diff --git a/README.md b/README.md index e684033..ddeeb73 100644 --- a/README.md +++ b/README.md @@ -23,17 +23,23 @@ The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations - Makefile - docker-compose -### Development mode +### Running local version -To run our plugin in development mode you have to first build the plugin using: +Build plugin binary +```bash +$> make gobuild ``` + +To run our plugin in development mode you have to first build the plugin using: +```bash $> make dev ``` -### Test using Curl +### Testing + Now you have your Vault running on port `:8200`. Open a new terminal to run the following command to enable Orchestrate plugin: -``` +```bash $> curl --header "X-Vault-Token: DevVaultToken" --request POST \ --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \ ${VAULT_ADDR}/v1/sys/mounts/quorum @@ -41,21 +47,30 @@ $> curl --header "X-Vault-Token: DevVaultToken" --request POST \ Now you already have your Vault running with Orchestrate plugin enable. The best way to understand the new integrate APIs is to use the `help` feature. To list a description of all the available endpoints you can run: -``` +```bash $> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum?help=1 ``` alternatively you can list only `ethereum` endpoints by using: -``` +```bash $> curl -H "X-Vault-Token: DevVaultToken" http://127.0.0.1:8200/v1/quorum/ethereum/accounts?help=1 ``` -## Production mode +## Running using latest version -Running Quorum Hashicorp Vault Plugin plugin in production: -``` -$> make prod +Running Quorum Hashicorp Vault Plugin plugin: +```bash +$> docker-compose -f docker-compose.yml up --build vault ``` ## Contributing [How to Contribute](CONTRIBUTING.md) + +## License + +Quorum Hashicorp Vault plugin is licensed under the BSL 1.1. + +Please refer to the [LICENSE file](LICENSE) for a detailed description of the license. + +Please contact [orchestrate@consensys.net](mailto:orchestrate@consensys.net) if you need to purchase a license for a production use-case. + diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml new file mode 100644 index 0000000..424bc2c --- /dev/null +++ b/docker-compose.dev.yml @@ -0,0 +1,39 @@ +version: "3.7" + +x-container-common: &container-common + networks: + - vault + +services: + vault: + <<: *container-common + image: library/vault:1.8.4 + restart: ${CONTAINER_RESTART-on-failure} + tty: true + cap_add: + - IPC_LOCK + volumes: + - ./build/bin/quorum-hashicorp-vault-plugin:/vault/plugins/quorum-hashicorp-vault-plugin + - ./scripts/vault-init-dev.sh:/usr/local/bin/vault-init.sh + environment: + VAULT_ADDR: http://vault:8200 + VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN-DevVaultToken} + entrypoint: + - sh + - -c + - | + apk add --no-cache curl + ( sleep 2 ; vault-init.sh ) & + vault server -dev -dev-plugin-dir=/vault/plugins/ -dev-listen-address="0.0.0.0:8200" -log-level=trace + ports: + - 8200:8200 + healthcheck: + test: [ "CMD", "wget", "--spider", "--proxy", "off", "http://localhost:8200/v1/sys/health?standbyok=true" ] + interval: 10s + timeout: 3s + retries: 10 + start_period: 5s + +networks: + vault: + driver: bridge diff --git a/docker-compose.yml b/docker-compose.yml index 833707e..312cbaa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,60 +5,50 @@ x-container-common: &container-common - vault services: - vault-dev: + vault: <<: *container-common - image: library/vault:1.8.2 - restart: ${CONTAINER_RESTART-on-failure} + image: consensys/quorum-hashicorp-vault-plugin:latest tty: true + restart: "no" cap_add: - IPC_LOCK - volumes: - - ./build/bin/quorum-hashicorp-vault-plugin:/vault/plugins/quorum-hashicorp-vault-plugin environment: - VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN-DevVaultToken} - entrypoint: vault server -dev -dev-plugin-dir=/vault/plugins/ -dev-listen-address="0.0.0.0:8200" -log-level=trace - ports: - - 8200:8200 + ROOT_TOKEN_PATH: /vault/.root + VAULT_ADDR: http://vault:8200 + PLUGIN_MOUNT_PATH: quorum + entrypoint: + - sh + - -c + - | + cat < /vault/config.hcl + backend "file" { + path = "/vault/file" + } - vault-dev-init: - <<: *container-common - build: ./docker - environment: - VAULT_ADDR: http://vault-dev:8200 - VAULT_TOKEN: ${VAULT_TOKEN-DevVaultToken} - restart: "no" - volumes: - - ./docker/init-dev.sh:/init.sh - depends_on: - - vault-dev - command: sh /init.sh + listener "tcp" { + address = "vault:8200" + tls_disable = true + } - vault: - <<: *container-common - image: library/vault:1.8.2 - tty: true - cap_add: - - IPC_LOCK - volumes: - - ./docker/config.hcl:/vault/config.hcl:ro - - ./build/bin/quorum-hashicorp-vault-plugin:/vault/plugins/quorum-hashicorp-vault-plugin - entrypoint: vault server -config=/vault/config.hcl + default_lease_ttl = "15m" + max_lease_ttl = "30m" + api_addr = "http://vault:8200" + plugin_directory = "/vault/plugins" + log_level = "Debug" + + ui = false + EOF + + ( sleep 2 ; vault-init.sh ) & + vault server -config=/vault/config.hcl ports: - 8200:8200 - - vault-init: - <<: *container-common - build: ./docker - environment: - VAULT_ADDR: http://vault:8200 - PLUGIN_FILE: /vault/plugins/quorum-hashicorp-vault-plugin - restart: "no" - volumes: - - ./build/bin/quorum-hashicorp-vault-plugin:/vault/plugins/quorum-hashicorp-vault-plugin - - ./docker/init-prod.sh:/init.sh - depends_on: - - vault - command: sh /init.sh + healthcheck: + test: [ "CMD", "wget", "--spider", "--proxy", "off", "http://localhost:8200/v1/sys/health?standbyok=true" ] + interval: 10s + timeout: 3s + retries: 10 + start_period: 5s networks: vault: diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index fe28b8d..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM alpine:3.14 - -RUN apk add --no-cache \ - jq \ - curl \ - bash - -WORKDIR /vault diff --git a/docker/config.hcl b/docker/config.hcl deleted file mode 100644 index c8e4821..0000000 --- a/docker/config.hcl +++ /dev/null @@ -1,15 +0,0 @@ -backend "file" { - path = "/vault/file" -} - -listener "tcp" { - address = "vault:8200" - tls_disable = true -} - -default_lease_ttl = "12h" -max_lease_ttl = "24h" -api_addr = "http://vault:8200" -plugin_directory = "/vault/plugins" -log_level = "Debug" -ui = true diff --git a/docker/init-dev.sh b/docker/init-dev.sh deleted file mode 100644 index cac3e83..0000000 --- a/docker/init-dev.sh +++ /dev/null @@ -1,4 +0,0 @@ -echo "enabling Quorum Hashicorp Plugin engine..." -curl --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST \ - --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \ - ${VAULT_ADDR}/v1/sys/mounts/quorum diff --git a/docker/init-prod.sh b/docker/init-prod.sh deleted file mode 100755 index ed810b4..0000000 --- a/docker/init-prod.sh +++ /dev/null @@ -1,34 +0,0 @@ -# Store root token in a file so it can be shared with other services through volume -# Init Vault - -echo "Initializing Vault: ${VAULT_ADDR}" - -curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' ${VAULT_ADDR}/v1/sys/init > init.json - -if [ "$UNSEAL_KEY" = "null" ]; then - echo "cannot retrieve unseal token" - exit 1 -fi - -# Retrieve root token and unseal key -VAULT_TOKEN=$(cat init.json | jq .root_token | tr -d '"') -UNSEAL_KEY=$(cat init.json | jq .keys | jq .[0]) -SHA256SUM=$(sha256sum -b ${PLUGIN_FILE} | cut -d' ' -f1) -rm init.json - - -# Unseal Vault -echo "unsealing vault..." -curl --request POST --data '{"key": '${UNSEAL_KEY}'}' ${VAULT_ADDR}/v1/sys/unseal - -echo "registering Quorum Hashicorp Vault plugin..." -curl --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST \ - --data "{\"sha256\": \"${SHA256SUM}\", \"command\": \"quorum-hashicorp-vault-plugin\" }" \ - ${VAULT_ADDR}/v1/sys/plugins/catalog/secret/quorum-hashicorp-vault-plugin - -echo "enabling Quorum Hashicorp Vault engine..." -curl --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST \ - --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \ - ${VAULT_ADDR}/v1/sys/mounts/quorum - -echo "ROOT_TOKEN: $VAULT_TOKEN" diff --git a/scripts/vault-init-dev.sh b/scripts/vault-init-dev.sh new file mode 100755 index 0000000..e8d68e0 --- /dev/null +++ b/scripts/vault-init-dev.sh @@ -0,0 +1,16 @@ +VAULT_ADDR=${VAULT_ADDR-localhost:8200} +PLUGIN_MOUNT_PATH=${PLUGIN_MOUNT_PATH-quorum} +PLUGIN_PATH=${PLUGIN_PATH-/vault/plugins} +VAULT_DEV_ROOT_TOKEN_ID=${VAULT_DEV_ROOT_TOKEN_ID-DevVaultToken} + +if [ "${PLUGIN_PATH}" != "/vault/plugins" ]; then + mkdir -p ${PLUGIN_PATH} + echo "[PLUGIN] Copying plugin to expected folder" + cp $PLUGIN_FILE "${PLUGIN_PATH}/quorum-hashicorp-vault-plugin" +fi + +echo "[PLUGIN] Enabling Quorum Hashicorp Plugin engine..." +curl --header "X-Vault-Token: ${VAULT_DEV_ROOT_TOKEN_ID}" --request POST \ + --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \ + ${VAULT_ADDR}/v1/sys/mounts/${PLUGIN_MOUNT_PATH} + diff --git a/scripts/vault-init.sh b/scripts/vault-init.sh new file mode 100755 index 0000000..beb1f31 --- /dev/null +++ b/scripts/vault-init.sh @@ -0,0 +1,50 @@ +# Store root token in a file so it can be shared with other services through volume +# Init Vault + +VAULT_ADDR=${VAULT_ADDR-localhost:8200} +PLUGIN_PATH=${PLUGIN_PATH-/vault/plugins} +PLUGIN_MOUNT_PATH=${PLUGIN_MOUNT_PATH-quorum} +ROOT_TOKEN_PATH=${ROOT_TOKEN_PATH-/vault/.root} +PLUGIN_FILE=/vault/plugins/quorum-hashicorp-vault-plugin + +echo "[PLUGIN] Initializing Vault: ${VAULT_ADDR}" + +curl -s --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' ${VAULT_ADDR}/v1/sys/init > response.json + +ROOT_TOKEN=$(cat response.json | jq .root_token | tr -d '"') +UNSEAL_KEY=$(cat response.json | jq .keys | jq .[0]) +ERRORS=$(cat response.json | jq .errors | jq .[0]) +rm response.json + +if [ "$UNSEAL_KEY" = "null" ]; then + echo "[PLUGIN] cannot retrieve unseal key: $ERRORS" + exit 1 +fi + +# Unseal Vault +echo "[PLUGIN] Unsealing vault..." +curl -s --request POST --data '{"key": '${UNSEAL_KEY}'}' ${VAULT_ADDR}/v1/sys/unseal + +if [ "${PLUGIN_PATH}" != "/vault/plugins" ]; then + mkdir -p ${PLUGIN_PATH} + echo "[PLUGIN] Copying plugin to expected folder" + cp $PLUGIN_FILE "${PLUGIN_PATH}/quorum-hashicorp-vault-plugin" +fi + +echo "[PLUGIN] Registering Quorum Hashicorp Vault plugin..." +SHA256SUM=$(sha256sum -b ${PLUGIN_FILE} | cut -d' ' -f1) +curl -s --header "X-Vault-Token: ${ROOT_TOKEN}" --request POST \ + --data "{\"sha256\": \"${SHA256SUM}\", \"command\": \"quorum-hashicorp-vault-plugin\" }" \ + ${VAULT_ADDR}/v1/sys/plugins/catalog/secret/quorum-hashicorp-vault-plugin + +echo "[PLUGIN] Enabling Quorum Hashicorp Vault engine..." +curl -s --header "X-Vault-Token: ${ROOT_TOKEN}" --request POST \ + --data '{"type": "plugin", "plugin_name": "quorum-hashicorp-vault-plugin", "config": {"force_no_cache": true, "passthrough_request_headers": ["X-Vault-Namespace"]} }' \ + ${VAULT_ADDR}/v1/sys/mounts/${PLUGIN_MOUNT_PATH} + +if [ -n "$ROOT_TOKEN" ]; then + echo "[PLUGIN] Root token saved in ${ROOT_TOKEN_PATH}" + echo "$ROOT_TOKEN" > ${ROOT_TOKEN_PATH} +fi + +exit 0