new package openbao: provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys (open source fork of Hashicorp Vault)

OBS-URL: https://build.opensuse.org/package/show/security/openbao?expand=0&rev=1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_service

@@ -0,0 +1,21 @@
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="url">https://github.com/openbao/openbao</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="revision">v2.0.0</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="changesgenerate">enable</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
+  </service>
+  <service name="set_version" mode="manual">
+  </service>
+  <service name="tar" mode="buildtime"/>
+  <service name="recompress" mode="buildtime">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+  <service name="go_modules" mode="manual">
+    <param name="archive">openbao-2.0.0.obscpio</param>
+  </service>
+</services>

_servicedata

@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/openbao/openbao</param>
+              <param name="changesrevision">700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3</param></service></servicedata>

openbao-2.0.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05f676f3bee35a4aa2bc3f7f4f9fe0d95056157c6e0de1fd1adf1080a4bcb3de
+size 41563661

openbao-agent.hcl.sample

@@ -0,0 +1,18 @@
+vault {
+   address = "https://openbao.example.org:8200"
+   tls_skip_verify = false
+}
+
+auto_auth {
+   method {
+      type = "token_file"
+      config = {
+         token_file_path = "/var/lib/openbao/.vault-token"
+      }
+   }
+   sink "file" {
+      config = {
+            path = "/var/lib/openbao/vault-token-via-agent"
+      }
+   }
+}

openbao-agent.service

@@ -0,0 +1,34 @@
+[Unit]
+Description="HashiCorp Vault Agent"
+Documentation=https://github.com/openbao/openbao
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/openbao/openbao-agent.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/openbao/openbao-agent.env
+User=openbao
+Group=openbao
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/bin/openbao agent -config=/etc/openbao/openbao-agent.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target

openbao.changes

@@ -0,0 +1,42 @@
+-------------------------------------------------------------------
+Thu Jul 18 12:47:17 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 2.0.0:
+  * This release does not ship with the UI enabled. The UI will be
+    available in the future. #129
+  * This release provides initial support for artifact signing.
+  * OpenBao does not provide support for Vault Enterprise features.
+    If there is an enterprise feature you would like to see added
+    to the project, please open a feature request.
+  * OpenBao is fully API compatible with Vault 1.14.9, and seal
+    compatible with the plugins the project supports. Plugin
+    support for OpenBao can be found here.
+  * Changelog
+    - Gate Docker steps behind GOOS (#412)
+    - Add GOOS matrix to release workflow (#411)
+    - Update Go version, changelog, modules for GA (#410)
+    - set bao binary version info with Goreleaser (#401)
+    - Remove cross-cluster revocation from PKI (#365)
+    - Update docs to include mlock removal RFC (#391)
+    - Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#395)
+    - Clarify fork point in FAQ (#392)
+    - docs: recreate images and diagrams (#397)
+    - Bump test-summary/action from 2.2 to 2.4 (#387)
+    - Remove mlock and replace with cgroups (#363)
+    - Downgrade test-summary/action from 2.3 to 2.2 (#381)
+    - Bump test-summary/action from 2.1 to 2.3 (#199)
+    - Bump browser-actions/setup-chrome from 1.5.0 to 1.7.1 (#377)
+    - Bump actions/github-script from 6.4.1 to 7.0.1 (#198)
+    - Bump actions/upload-artifact from 3.1.2 to 4.3.3 (#376)
+    - fix release asset parsing for download page (#378)
+    - update website dependencies (#368)
+    - docs(token): document the token format (#372)
+    - Fix artifact signing, use default runner
+    - Bump actions/configure-pages from 4 to 5 (#370)
+
+-------------------------------------------------------------------
+Sun Feb  4 08:43:31 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- new package openbao: provide a software solution to manage,
+  store, and distribute sensitive data including secrets,
+  certificates, and keys (open source fork of Hashicorp Vault)

openbao.obsinfo

@@ -0,0 +1,4 @@
+name: openbao
+version: 2.0.0
+mtime: 1721253450
+commit: 700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3

openbao.spec

@@ -0,0 +1,283 @@
+#
+# spec file for package openbao
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
+
+%define server_service_name openbao.service
+%define agent_service_name openbao-agent.service
+%define configdir_name openbao
+%define statedir_name openbao
+
+Name:           openbao
+Version:        2.0.0
+Release:        0
+Summary:        Manage, store, and distribute sensitive data
+License:        MPL-2.0
+URL:            https://github.com/openbao/openbao
+Group:          Productivity/Security
+Source:         %{name}-%{version}.tar.gz
+Source1:        vendor.tar.gz
+Source3:        %{name}-agent.service
+Source4:        %{name}-agent.hcl.sample
+BuildRequires:  go >= 1.22
+BuildRequires:  user(openbao)
+
+%description
+OpenBao exists to provide a software solution to manage, store, and distribute
+sensitive data including secrets, certificates, and keys. The OpenBao community
+intends to provide this software under an OSI-approved open-source license, led
+by a community run under open governance principles.
+
+A modern system requires access to a multitude of secrets: database
+credentials, API keys for external services, credentials for service-oriented
+architecture communication, etc. Understanding who is accessing what secrets is
+already very difficult and platform-specific. Adding on key rolling, secure
+storage, and detailed audit logs is almost impossible without a custom
+solution. This is where OpenBao steps in.
+
+The key features of OpenBao are:
+
+* Secure Secret Storage: Arbitrary key/value secrets can be stored in OpenBao.
+  OpenBao encrypts these secrets prior to writing them to persistent storage,
+  so gaining access to the raw storage isn't enough to access your secrets.
+  OpenBao can write to disk, Consul, and more.
+* Dynamic Secrets: OpenBao can generate secrets on-demand for some systems,
+  such as AWS or SQL databases. For example, when an application needs to
+  access an S3 bucket, it asks OpenBao for credentials, and OpenBao will
+  generate an AWS keypair with valid permissions on demand. After creating
+  these dynamic secrets, OpenBao will also automatically revoke them after the
+  lease is up.
+* Data Encryption: OpenBao can encrypt and decrypt data without storing it.
+  This allows security teams to define encryption parameters and developers to
+  store encrypted data in a location such as a SQL database without having to
+  design their own encryption methods.
+* Leasing and Renewal: All secrets in OpenBao have a lease associated with
+  them. At the end of the lease, OpenBao will automatically revoke that secret.
+  Clients are able to renew leases via built-in renew APIs.
+* Revocation: OpenBao has built-in support for secret revocation. OpenBao can
+  revoke not only single secrets, but a tree of secrets, for example, all
+  secrets read by a specific user, or all secrets of a particular type.
+  Revocation assists in key rolling as well as locking down systems in the case
+  of an intrusion.
+
+%package -n %{name}-server
+Summary:        OpenBao server
+BuildArch:      noarch
+Requires:       %{name} = %{version}
+# Require the system user and group
+Requires(pre):  user(openbao)
+Requires(pre):  group(openbao)
+# agent and server conflict
+Conflicts:      %{name}-agent
+
+%description -n %{name}-server
+Files required to run a OpenBao server
+
+%package -n %{name}-agent
+Summary:        OpenBao agent
+BuildArch:      noarch
+Requires:       %{name} = %{version}
+# Require the system user and group
+Requires(pre):  user(openbao)
+Requires(pre):  group(openbao)
+# agent and server conflict
+Conflicts:      %{name}-server
+
+%description -n %{name}-agent
+Files required to run a OpenBao agent
+
+%package -n %{name}-mysql-database-plugin
+Summary:        OpenBao database plugin for MySQL
+
+%description -n %{name}-mysql-database-plugin
+OpenBao database plugin for MySQL
+
+%package -n %{name}-mysql-legacy-database-plugin
+Summary:        OpenBao database plugin for MySQL Legacy
+
+%description -n %{name}-mysql-legacy-database-plugin
+OpenBao database plugin for MySQL Legacy
+
+%package -n %{name}-cassandra-database-plugin
+Summary:        OpenBao database plugin for Cassandra
+
+%description -n %{name}-cassandra-database-plugin
+OpenBao database plugin for Cassandra
+
+%package -n %{name}-influxdb-database-plugin
+Summary:        OpenBao database plugin for InfluxDB
+
+%description -n %{name}-influxdb-database-plugin
+OpenBao database plugin for InfluxDB
+
+%package -n %{name}-postgresql-database-plugin
+Summary:        OpenBao database plugin for PostgreSQL
+
+%description -n %{name}-postgresql-database-plugin
+OpenBao database plugin for PostgreSQL
+
+%prep
+%autosetup -p 1 -a 1
+
+%build
+DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ"
+BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}")
+go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -ldflags=" \
+    -X github.com/openbao/openbao/version.GitCommit=v%{version} \
+    -X github.com/openbao/openbao/version.BuildDate=${BUILD_DATE}" \
+   -o bin/openbao .
+
+#
+# database plugins
+#
+
+CGO_ENABLED=0 go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -o bin/mysql-database-plugin ./plugins/database/mysql/mysql-database-plugin
+
+CGO_ENABLED=0 go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -o bin/mysql-legacy-database-plugin ./plugins/database/mysql/mysql-legacy-database-plugin
+
+CGO_ENABLED=0 go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -o bin/cassandra-database-plugin ./plugins/database/cassandra/cassandra-database-plugin
+
+CGO_ENABLED=0 go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -o bin/influxdb-database-plugin ./plugins/database/influxdb/influxdb-database-plugin
+
+CGO_ENABLED=0 go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -o bin/postgresql-database-plugin ./plugins/database/postgresql/postgresql-database-plugin
+
+%install
+# Install the binary.
+install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name}
+
+# server systemd unit file
+install -D -m 0644 .release/linux/package/usr/lib/systemd/system/%{server_service_name} %{buildroot}%{_unitdir}/%{server_service_name}
+
+# fix for https://github.com/openbao/openbao/issues/274
+sed -i '/EnvironmentFile/ s/openbao\.d/openbao/' %{buildroot}%{_unitdir}/%{server_service_name}
+
+# agent systemd unit file
+install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{agent_service_name}
+
+# configuration in /etc/openbao/
+install -d -m 0750 %{buildroot}%{_sysconfdir}/%{configdir_name}/
+install -D -m 0640 .release/linux/package/etc/%{configdir_name}/%{name}.env %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}.env
+install -D -m 0640 .release/linux/package/etc/%{configdir_name}/%{name}.env %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}-agent.env
+
+# touch configuration files
+touch %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}.hcl
+touch %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}-agent.hcl
+
+# agent configuration example
+cp %{SOURCE4} .
+
+# fix path in sample configuration
+cp .release/linux/package/etc/%{configdir_name}/%{name}.hcl %{name}.hcl.sample
+sed -i 's|/opt/%{name}|/var/lib/%{name}|g' %{name}.hcl.sample
+
+# directory in /var/lib/
+install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{statedir_name}
+
+# database plugins
+for plugin in \
+        mysql-database-plugin \
+        mysql-legacy-database-plugin \
+        cassandra-database-plugin \
+        influxdb-database-plugin \
+        postgresql-database-plugin
+do
+        install -D -m 0755 bin/${plugin} %{buildroot}/%{_bindir}/%{name}-${plugin}
+done
+
+%pre -n %{name}-server
+%service_add_pre %{server_service_name}
+
+%pre -n %{name}-agent
+%service_add_pre %{agent_service_name}
+
+%post -n %{name}-server
+%service_add_post %{server_service_name}
+
+%post -n %{name}-agent
+%service_add_post %{agent_service_name}
+
+%preun -n %{name}-server
+%service_del_preun %{server_service_name}
+
+%preun -n %{name}-agent
+%service_del_preun %{agent_service_name}
+
+%postun -n %{name}-server
+%service_del_postun %{server_service_name}
+
+%postun -n %{name}-agent
+%service_del_postun %{agent_service_name}
+
+%check
+
+%files
+%doc README.md
+%license LICENSE
+%{_bindir}/%{name}
+
+%files -n %{name}-server
+%{_unitdir}/%{server_service_name}
+%dir %attr(750,%{name}, %{name}) %{_sysconfdir}/%{configdir_name}/
+%defattr(0640, root, %{name})
+%config(noreplace) %ghost %{_sysconfdir}/%{configdir_name}/%{name}.hcl
+%config(noreplace) %{_sysconfdir}/%{configdir_name}/%{name}.env
+%doc %{name}.hcl.sample
+%dir %attr(750,%{name}, %{name}) %{_sharedstatedir}/%{statedir_name}/
+
+%files -n %{name}-agent
+%{_unitdir}/%{agent_service_name}
+%dir %attr(750,%{name}, %{name}) %{_sysconfdir}/%{configdir_name}/
+%defattr(0640, root, %{name})
+%ghost %{_sysconfdir}/%{configdir_name}/%{name}-agent.hcl
+%config(noreplace) %{_sysconfdir}/%{configdir_name}/%{name}-agent.env
+%doc %{name}-agent.hcl.sample
+
+%files -n %{name}-mysql-database-plugin
+%{_bindir}/%{name}-mysql-database-plugin
+
+%files -n %{name}-mysql-legacy-database-plugin
+%{_bindir}/%{name}-mysql-legacy-database-plugin
+
+%files -n %{name}-cassandra-database-plugin
+%{_bindir}/%{name}-cassandra-database-plugin
+
+%files -n %{name}-influxdb-database-plugin
+%{_bindir}/%{name}-influxdb-database-plugin
+
+%files -n %{name}-postgresql-database-plugin
+%{_bindir}/%{name}-postgresql-database-plugin
+
+%changelog

vendor.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0aca25f888dd5a3a014d20a48c4c57b09e312068e121ea418ae78832ecdb947c
+size 19525723