From cab6b340bf745c5b8b6e99cccd34e302846a5430b222b02cb46ccbe3e0452e5b Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Sat, 20 Jul 2024 18:05:28 +0000 Subject: [PATCH] new package openbao: provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys (open source fork of Hashicorp Vault) OBS-URL: https://build.opensuse.org/package/show/security/openbao?expand=0&rev=1 --- .gitattributes | 23 ++++ .gitignore | 1 + _service | 21 +++ _servicedata | 4 + openbao-2.0.0.obscpio | 3 + openbao-agent.hcl.sample | 18 +++ openbao-agent.service | 34 +++++ openbao.changes | 42 ++++++ openbao.obsinfo | 4 + openbao.spec | 283 +++++++++++++++++++++++++++++++++++++++ vendor.tar.gz | 3 + 11 files changed, 436 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 openbao-2.0.0.obscpio create mode 100644 openbao-agent.hcl.sample create mode 100644 openbao-agent.service create mode 100644 openbao.changes create mode 100644 openbao.obsinfo create mode 100644 openbao.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..625da92 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/openbao/openbao + git + .git + v2.0.0 + @PARENT_TAG@ + enable + v(.*) + + + + + + *.tar + gz + + + openbao-2.0.0.obscpio + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..f69d264 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openbao/openbao + 700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3 \ No newline at end of file diff --git a/openbao-2.0.0.obscpio b/openbao-2.0.0.obscpio new file mode 100644 index 0000000..9c39714 --- /dev/null +++ b/openbao-2.0.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:05f676f3bee35a4aa2bc3f7f4f9fe0d95056157c6e0de1fd1adf1080a4bcb3de +size 41563661 diff --git a/openbao-agent.hcl.sample b/openbao-agent.hcl.sample new file mode 100644 index 0000000..78cdc3b --- /dev/null +++ b/openbao-agent.hcl.sample @@ -0,0 +1,18 @@ +vault { + address = "https://openbao.example.org:8200" + tls_skip_verify = false +} + +auto_auth { + method { + type = "token_file" + config = { + token_file_path = "/var/lib/openbao/.vault-token" + } + } + sink "file" { + config = { + path = "/var/lib/openbao/vault-token-via-agent" + } + } +} diff --git a/openbao-agent.service b/openbao-agent.service new file mode 100644 index 0000000..e1214a8 --- /dev/null +++ b/openbao-agent.service @@ -0,0 +1,34 @@ +[Unit] +Description="HashiCorp Vault Agent" +Documentation=https://github.com/openbao/openbao +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/openbao/openbao-agent.hcl +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +Type=notify +EnvironmentFile=/etc/openbao/openbao-agent.env +User=openbao +Group=openbao +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes +ExecStart=/usr/bin/openbao agent -config=/etc/openbao/openbao-agent.hcl +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target diff --git a/openbao.changes b/openbao.changes new file mode 100644 index 0000000..a08fd2c --- /dev/null +++ b/openbao.changes @@ -0,0 +1,42 @@ +------------------------------------------------------------------- +Thu Jul 18 12:47:17 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 2.0.0: + * This release does not ship with the UI enabled. The UI will be + available in the future. #129 + * This release provides initial support for artifact signing. + * OpenBao does not provide support for Vault Enterprise features. + If there is an enterprise feature you would like to see added + to the project, please open a feature request. + * OpenBao is fully API compatible with Vault 1.14.9, and seal + compatible with the plugins the project supports. Plugin + support for OpenBao can be found here. + * Changelog + - Gate Docker steps behind GOOS (#412) + - Add GOOS matrix to release workflow (#411) + - Update Go version, changelog, modules for GA (#410) + - set bao binary version info with Goreleaser (#401) + - Remove cross-cluster revocation from PKI (#365) + - Update docs to include mlock removal RFC (#391) + - Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#395) + - Clarify fork point in FAQ (#392) + - docs: recreate images and diagrams (#397) + - Bump test-summary/action from 2.2 to 2.4 (#387) + - Remove mlock and replace with cgroups (#363) + - Downgrade test-summary/action from 2.3 to 2.2 (#381) + - Bump test-summary/action from 2.1 to 2.3 (#199) + - Bump browser-actions/setup-chrome from 1.5.0 to 1.7.1 (#377) + - Bump actions/github-script from 6.4.1 to 7.0.1 (#198) + - Bump actions/upload-artifact from 3.1.2 to 4.3.3 (#376) + - fix release asset parsing for download page (#378) + - update website dependencies (#368) + - docs(token): document the token format (#372) + - Fix artifact signing, use default runner + - Bump actions/configure-pages from 4 to 5 (#370) + +------------------------------------------------------------------- +Sun Feb 4 08:43:31 UTC 2024 - Johannes Kastl + +- new package openbao: provide a software solution to manage, + store, and distribute sensitive data including secrets, + certificates, and keys (open source fork of Hashicorp Vault) diff --git a/openbao.obsinfo b/openbao.obsinfo new file mode 100644 index 0000000..5fbabf0 --- /dev/null +++ b/openbao.obsinfo @@ -0,0 +1,4 @@ +name: openbao +version: 2.0.0 +mtime: 1721253450 +commit: 700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3 diff --git a/openbao.spec b/openbao.spec new file mode 100644 index 0000000..34ead8a --- /dev/null +++ b/openbao.spec @@ -0,0 +1,283 @@ +# +# spec file for package openbao +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define __arch_install_post export NO_BRP_STRIP_DEBUG=true + +%define server_service_name openbao.service +%define agent_service_name openbao-agent.service +%define configdir_name openbao +%define statedir_name openbao + +Name: openbao +Version: 2.0.0 +Release: 0 +Summary: Manage, store, and distribute sensitive data +License: MPL-2.0 +URL: https://github.com/openbao/openbao +Group: Productivity/Security +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source3: %{name}-agent.service +Source4: %{name}-agent.hcl.sample +BuildRequires: go >= 1.22 +BuildRequires: user(openbao) + +%description +OpenBao exists to provide a software solution to manage, store, and distribute +sensitive data including secrets, certificates, and keys. The OpenBao community +intends to provide this software under an OSI-approved open-source license, led +by a community run under open governance principles. + +A modern system requires access to a multitude of secrets: database +credentials, API keys for external services, credentials for service-oriented +architecture communication, etc. Understanding who is accessing what secrets is +already very difficult and platform-specific. Adding on key rolling, secure +storage, and detailed audit logs is almost impossible without a custom +solution. This is where OpenBao steps in. + +The key features of OpenBao are: + +* Secure Secret Storage: Arbitrary key/value secrets can be stored in OpenBao. + OpenBao encrypts these secrets prior to writing them to persistent storage, + so gaining access to the raw storage isn't enough to access your secrets. + OpenBao can write to disk, Consul, and more. +* Dynamic Secrets: OpenBao can generate secrets on-demand for some systems, + such as AWS or SQL databases. For example, when an application needs to + access an S3 bucket, it asks OpenBao for credentials, and OpenBao will + generate an AWS keypair with valid permissions on demand. After creating + these dynamic secrets, OpenBao will also automatically revoke them after the + lease is up. +* Data Encryption: OpenBao can encrypt and decrypt data without storing it. + This allows security teams to define encryption parameters and developers to + store encrypted data in a location such as a SQL database without having to + design their own encryption methods. +* Leasing and Renewal: All secrets in OpenBao have a lease associated with + them. At the end of the lease, OpenBao will automatically revoke that secret. + Clients are able to renew leases via built-in renew APIs. +* Revocation: OpenBao has built-in support for secret revocation. OpenBao can + revoke not only single secrets, but a tree of secrets, for example, all + secrets read by a specific user, or all secrets of a particular type. + Revocation assists in key rolling as well as locking down systems in the case + of an intrusion. + +%package -n %{name}-server +Summary: OpenBao server +BuildArch: noarch +Requires: %{name} = %{version} +# Require the system user and group +Requires(pre): user(openbao) +Requires(pre): group(openbao) +# agent and server conflict +Conflicts: %{name}-agent + +%description -n %{name}-server +Files required to run a OpenBao server + +%package -n %{name}-agent +Summary: OpenBao agent +BuildArch: noarch +Requires: %{name} = %{version} +# Require the system user and group +Requires(pre): user(openbao) +Requires(pre): group(openbao) +# agent and server conflict +Conflicts: %{name}-server + +%description -n %{name}-agent +Files required to run a OpenBao agent + +%package -n %{name}-mysql-database-plugin +Summary: OpenBao database plugin for MySQL + +%description -n %{name}-mysql-database-plugin +OpenBao database plugin for MySQL + +%package -n %{name}-mysql-legacy-database-plugin +Summary: OpenBao database plugin for MySQL Legacy + +%description -n %{name}-mysql-legacy-database-plugin +OpenBao database plugin for MySQL Legacy + +%package -n %{name}-cassandra-database-plugin +Summary: OpenBao database plugin for Cassandra + +%description -n %{name}-cassandra-database-plugin +OpenBao database plugin for Cassandra + +%package -n %{name}-influxdb-database-plugin +Summary: OpenBao database plugin for InfluxDB + +%description -n %{name}-influxdb-database-plugin +OpenBao database plugin for InfluxDB + +%package -n %{name}-postgresql-database-plugin +Summary: OpenBao database plugin for PostgreSQL + +%description -n %{name}-postgresql-database-plugin +OpenBao database plugin for PostgreSQL + +%prep +%autosetup -p 1 -a 1 + +%build +DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ" +BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags=" \ + -X github.com/openbao/openbao/version.GitCommit=v%{version} \ + -X github.com/openbao/openbao/version.BuildDate=${BUILD_DATE}" \ + -o bin/openbao . + +# +# database plugins +# + +CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -o bin/mysql-database-plugin ./plugins/database/mysql/mysql-database-plugin + +CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -o bin/mysql-legacy-database-plugin ./plugins/database/mysql/mysql-legacy-database-plugin + +CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -o bin/cassandra-database-plugin ./plugins/database/cassandra/cassandra-database-plugin + +CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -o bin/influxdb-database-plugin ./plugins/database/influxdb/influxdb-database-plugin + +CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -o bin/postgresql-database-plugin ./plugins/database/postgresql/postgresql-database-plugin + +%install +# Install the binary. +install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name} + +# server systemd unit file +install -D -m 0644 .release/linux/package/usr/lib/systemd/system/%{server_service_name} %{buildroot}%{_unitdir}/%{server_service_name} + +# fix for https://github.com/openbao/openbao/issues/274 +sed -i '/EnvironmentFile/ s/openbao\.d/openbao/' %{buildroot}%{_unitdir}/%{server_service_name} + +# agent systemd unit file +install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{agent_service_name} + +# configuration in /etc/openbao/ +install -d -m 0750 %{buildroot}%{_sysconfdir}/%{configdir_name}/ +install -D -m 0640 .release/linux/package/etc/%{configdir_name}/%{name}.env %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}.env +install -D -m 0640 .release/linux/package/etc/%{configdir_name}/%{name}.env %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}-agent.env + +# touch configuration files +touch %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}.hcl +touch %{buildroot}%{_sysconfdir}/%{configdir_name}/%{name}-agent.hcl + +# agent configuration example +cp %{SOURCE4} . + +# fix path in sample configuration +cp .release/linux/package/etc/%{configdir_name}/%{name}.hcl %{name}.hcl.sample +sed -i 's|/opt/%{name}|/var/lib/%{name}|g' %{name}.hcl.sample + +# directory in /var/lib/ +install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{statedir_name} + +# database plugins +for plugin in \ + mysql-database-plugin \ + mysql-legacy-database-plugin \ + cassandra-database-plugin \ + influxdb-database-plugin \ + postgresql-database-plugin +do + install -D -m 0755 bin/${plugin} %{buildroot}/%{_bindir}/%{name}-${plugin} +done + +%pre -n %{name}-server +%service_add_pre %{server_service_name} + +%pre -n %{name}-agent +%service_add_pre %{agent_service_name} + +%post -n %{name}-server +%service_add_post %{server_service_name} + +%post -n %{name}-agent +%service_add_post %{agent_service_name} + +%preun -n %{name}-server +%service_del_preun %{server_service_name} + +%preun -n %{name}-agent +%service_del_preun %{agent_service_name} + +%postun -n %{name}-server +%service_del_postun %{server_service_name} + +%postun -n %{name}-agent +%service_del_postun %{agent_service_name} + +%check + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} + +%files -n %{name}-server +%{_unitdir}/%{server_service_name} +%dir %attr(750,%{name}, %{name}) %{_sysconfdir}/%{configdir_name}/ +%defattr(0640, root, %{name}) +%config(noreplace) %ghost %{_sysconfdir}/%{configdir_name}/%{name}.hcl +%config(noreplace) %{_sysconfdir}/%{configdir_name}/%{name}.env +%doc %{name}.hcl.sample +%dir %attr(750,%{name}, %{name}) %{_sharedstatedir}/%{statedir_name}/ + +%files -n %{name}-agent +%{_unitdir}/%{agent_service_name} +%dir %attr(750,%{name}, %{name}) %{_sysconfdir}/%{configdir_name}/ +%defattr(0640, root, %{name}) +%ghost %{_sysconfdir}/%{configdir_name}/%{name}-agent.hcl +%config(noreplace) %{_sysconfdir}/%{configdir_name}/%{name}-agent.env +%doc %{name}-agent.hcl.sample + +%files -n %{name}-mysql-database-plugin +%{_bindir}/%{name}-mysql-database-plugin + +%files -n %{name}-mysql-legacy-database-plugin +%{_bindir}/%{name}-mysql-legacy-database-plugin + +%files -n %{name}-cassandra-database-plugin +%{_bindir}/%{name}-cassandra-database-plugin + +%files -n %{name}-influxdb-database-plugin +%{_bindir}/%{name}-influxdb-database-plugin + +%files -n %{name}-postgresql-database-plugin +%{_bindir}/%{name}-postgresql-database-plugin + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..2e79ddc --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0aca25f888dd5a3a014d20a48c4c57b09e312068e121ea418ae78832ecdb947c +size 19525723