feat: initial commit

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

vault/Dockerfile

@@ -0,0 +1,53 @@
+FROM docker.io/ubuntu:focal
+
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y curl gpg;
+
+RUN set -eux; \
+    curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg; \
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg]  https://packages.gramineproject.io/ focal main" > /etc/apt/sources.list.d/gramine.list
+
+RUN set -eux; \
+    curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list
+
+RUN set -eux; \
+    curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc; \
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list
+
+# Install gramine
+RUN set -eux; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y gramine \
+    libsgx-urts \
+    libsgx-enclave-common \
+    libsgx-dcap-quote-verify \
+    az-dcap-client \
+    psmisc \
+    ;
+
+RUN set -eux; \
+    curl -s -o - https://apt.releases.hashicorp.com/gpg | gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg; \
+    echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com focal main" > /etc/apt/sources.list.d/hashicorp.list; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends vault libcap2-bin;
+
+RUN rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/vault
+COPY vault/vault.manifest.toml vault/config.hcl vault/vault-csr.conf vault/cakey.pem vault/cacert.pem vault/start.sh ./
+RUN mkdir -p /opt/vault/data /opt/vault/.cache /opt/vault/tls && rm -rf /opt/vault/tls/*
+
+COPY vault/enclave-key.pem /tmp/
+RUN set -eux; \
+    find / -xdev -print0 | xargs -0 touch -r /usr/bin/vault || : ; \
+    gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning vault.manifest.toml vault.manifest; \
+    gramine-sgx-sign --manifest vault.manifest --output vault.manifest.sgx --key /tmp/enclave-key.pem; \
+    rm /tmp/enclave-key.pem
+
+VOLUME /opt/vault/tls
+VOLUME /opt/vault/data
+
+ENTRYPOINT ["/bin/sh", "-c"]
+CMD [ "/restart_aesm.sh ; exec gramine-sgx vault" ]

vault/cacert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL
+BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD
+QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl
+c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw
+XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy
+SpXbKDqrmM+U2lUyrcmHRapHvwBaKU5LKumsshurP62DlpcZ6Imasmtlm9t+NJfP
+esTEKAhzuRGwcEaOXkvksK7QXEwl3q4da4ST/+qjfnYq/gA6PFgHHWRo8qXPa62H
+pPcYkCiCfd4oYSSqH6kEeym2upDVVjtAo6y7ytQU0DNs51vR+ePL9qd3WVWnzm9z
+66V9ZUCqfU1LY4dAMEN8UH2QiXPVyFG/Y2lb7gtltI7D2D4C63vgCS657cRcOMg/
+xbiYXaVh0BQvJkznyv+IOkU8a42Uth/CX7Tv9N2n4X5accV82oUHtW3BbeYxW4Wb
+dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5
+PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb
+b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz
+ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn
+kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
+BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX
+D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws
+d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj
+mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv
+QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51
+/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci
+PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU
+oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw
+o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd
+1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq
+TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K
+lweZ5hgUkLPf5EW0
+-----END CERTIFICATE-----

vault/cakey.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQD4hjplzpqaXoWL
+/8bex/zBStuYmBuOGvIELS5aiHfwXfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsAR
+e/0cHn438rVbeFK6cJl/kXlwGMOySpXbKDqrmM+U2lUyrcmHRapHvwBaKU5LKums
+shurP62DlpcZ6Imasmtlm9t+NJfPesTEKAhzuRGwcEaOXkvksK7QXEwl3q4da4ST
+/+qjfnYq/gA6PFgHHWRo8qXPa62HpPcYkCiCfd4oYSSqH6kEeym2upDVVjtAo6y7
+ytQU0DNs51vR+ePL9qd3WVWnzm9z66V9ZUCqfU1LY4dAMEN8UH2QiXPVyFG/Y2lb
+7gtltI7D2D4C63vgCS657cRcOMg/xbiYXaVh0BQvJkznyv+IOkU8a42Uth/CX7Tv
+9N2n4X5accV82oUHtW3BbeYxW4WbdTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/
+Tdc+yg7NxOHPpJ6ZULK6d9n1glV5PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8t
+pZqBmjhMWQddwAd5MZGWS0VBKBZbb5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAd
+Mpw+wQcZQ+6twIpAQU3k6imJ4yGzZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x4
+9uAi5KpTBeeY/lLMnFLRa5sDUtLnkwIDAQABAoICABokGFFsHXP+XELBGTyGwa3d
+P2L6IO/eIrXQwM7yCtekMg56lPoJ3W0IJbvPD4Kyl8PRbGEYOqbiueQ86/9Ar9sX
+sv7XlbAZtvOlrCXf3PnMgZ3HSgCRtsf7/Tky8X9Ckyovy4wwSxV6ApFRPLrTHF+6
+f9NQU+ULPmO2NKy+QHeo/Lh7U4REo7kw3iMMhSQdd43gH3xeQ2dBz3S31wjyfOCB
+zilR/ppk+5JUb591PpAFiJ4zT6eGMM+DhFVGtkML53PahPCDvQDMFpe8Onmj+rzK
+Syy3gcALBkt2AJ4Bh1SkpUge1eH5Ax/abLgSO48Acmy5II+MnhipDsSGMfm1N8zp
+yjzitqay1B/8VHu8FJ7up4XbLvvhjG3uKLchARJ9pGjJ8JYdFNcxv+ZBD2H111J5
+b5XHHII1W/6wgpcB6SesasjoTe/jJhPPosvUT+QuT3IG46TDE4ct8+20kSP3vmm4
+FtgfyMFNqh7/GR42UMDjMcx+zCUPpQj9KTH1KUHnW/tQqqb0+lCwTw9vuMBxxysD
+KjG5qxaLqY9uIQ3h+hSuTGtPOIFt3uMrZMp6R1pMmWr+imPED7NAildbOqsCxI00
+1icPp43vOVdFYIlVX3FZLGUg5c9SkTv5O628HUoHQM+TPqG6bysA+w/pL2d9ByPX
+5N3LfbqPTr9PYYd6owNBAoIBAQD89s1MDFY1E6cuP8ut2avrwJzqm0u7FzCxbXC9
+PUgzUKdcVZ7ilQxEM8GRijq0HegefycPwR5oYF8OtpXsuXJ81q69jW1hYHWTSER2
+VrjWhF5TiKoaiLW1YfSX3IQRZ2zpLKRKC1IvsOzd115Yl0gjHBXlK875z3t2d61q
+grCG/QjfXer+5pJsOjxROS+lob6pDohHJLIaRYheLRVstiG+o0pk6LCVo1UPqdQN
+rZ6pUoBZjaX56alP1xexMguN1/2GRTgkk1BUdOJ/wfpQv6VW7EpdwwkVJxZ+c77P
+6zy6FkELtSCuEYt8ETmCnYzUBJs58ZSKqar4+BFD4b4w1nRTAoIBAQD7gckhaW7G
+gHZsiaGfgsnf7kVJmeBJ5WnCTAXRDUQRK+/KEz+4uyVFoeX0czIoviYOWOn6Sg4I
+qHIUkYkIG/aOCo0z5HnxoXwAA5HY/3ZLzMGlM2sqoQpPCFUQE//a5eYfSyyOVFQO
+LoJpJyPIWppYPPo6AMy/OTXl9R6I/kN98cya8scWfwakNfgA8jhnii0ezEr1WwR8
+nrK2SBhO9Rl2FcUSNXbOtk8BmcimW5IoDiATssLyReEqoQhrCgt8It90OtozT1GQ
+qjL7ZG786s02YuBddU5t27qbqFGn4XXQk3ArCFsOUqUf8Lj5U6mZ75sNRrU1O8NB
+J4Q7E+geT1fBAoIBAEmuVXPuL/n7xHlLKbd0rIfZrZsEKtXO1mcHuovUWsBfoK/b
+XJEg2tbOwHX07k5iW6buYGFNXd8HGwj9E8RE690C5xjdJdv0Lar9pLtXXTVWjucD
+6pAZ+9teMdE98NXk6ysrzpqmm4S6ovOm9JsXTXK0jogW742B6rNB/qgEcwiOkVQG
+Vhly7XlKqSD7aC51Y0R4sCcQwDO4xxSvSwtELaYKh/PGdxDO50rNq69kP8+P8USk
+ZpDZh3By9TqumgDxxa2jYcv9gKto9EREKvX0LGOaJbsTwQSBQyMH8a88FI8bRkzz
+sBYjlB5KIhcybr+eq9v/ysVs0Bj+oIDGMxCklnMCggEAcT+hl1/oN43ExV673h2A
+VUru/BNDwUKB+rFMtTNqAOlt0eoU+VOblt0ttILihSIJ9M/om4EZDKD8rXJS58nf
+nVn29vTcTAdQ1JjG5ZUyaTNLxt1+VfWptKil1NWMkb6PfmvVJkmmh7Q9mKe9Hwxd
+D3p1mgSeLUTPljpng3wqW92zKdpD90c/cFW01Ig9CbJYWtPWtOBFBvBWvGl+OJ94
+1Yk78dUNKEtDDA95IB9/knW5z+Tgj0MT/qQALGKbhUwWnjmZ4xzGN4PL7RLuPwhj
+Wyfuq2aU6DbWshx6mEOXT1H0YgwjJDHmlJlKUUpwxhX0FWhPVCcS5pWqnwd5r5w+
+gQKCAQAG6FIn1Gh0kqlMZBp0g/NXXaC+ZqKu/GzDk5o0inGaZXjlE0XlgjAHZBCn
+DlxQsZiA1rXTOZu9oIvaVD5Kqr9PmCiRc0a17CNVK6dfBHBI4+vscVaZev10BjAD
+tIvZ+E9SqP7MRWYmNeOhSVPtty9VWCwAcKFP4zhAqfykyl9EzFvLFuoYNWy36Ggm
+EpSWHzD3ju/t/31FcAWyQ3ZzN9Z6zAd909S3YvTfBRY2HLiXzKSRKT+4BzKr5UkG
+y1aXeDQQlykdxehMU7EFu9pzFR+P3iTTh93qbcSgrWIDVUjBGhnLI03wxlLN2XPA
+ddNNT9BMXrut8KdPM9+L+8v5a57L
+-----END PRIVATE KEY-----

vault/config.hcl

@@ -0,0 +1,55 @@
+# Parameter needed because of slow plugin loading
+# may be relaxed for faster machines
+#http_read_header_timeout = 0
+#http_read_timeout = 300
+
+disable_mlock = true
+ui            = false
+
+listener "tcp" {
+    address = "0.0.0.0:8210"
+    cluster_address = "0.0.0.0:8211"
+    tls_disable = false
+    tls_cert_file = "/opt/vault/tls/tls.crt"
+    tls_key_file = "/opt/vault/tls/tls.key"
+    tls_client_ca_file = "/opt/vault/cacert.pem"
+}
+
+storage "raft" {
+    path    = "/opt/vault/data/"
+    # override vial env var VAULT_RAFT_NODE_ID
+    node_id = "vault-1"
+
+    # Parameter needed because of slow plugin loading
+    # may be relaxed for faster machines
+    performance_multiplier = 200
+    #autopilot_reconcile_interval = "120s"
+    #autopilot_update_interval = "60s"
+
+    retry_join {
+        leader_api_addr = "https://vault-1:8210"
+        leader_ca_cert_file = "/opt/vault/cacert.pem"
+        leader_client_cert_file = "/opt/vault/tls/tls.crt"
+        leader_client_key_file = "/opt/vault/tls/tls.key"
+    }
+    retry_join {
+        leader_api_addr = "https://vault-2:8210"
+        leader_ca_cert_file = "/opt/vault/cacert.pem"
+        leader_client_cert_file = "/opt/vault/tls/tls.crt"
+        leader_client_key_file = "/opt/vault/tls/tls.key"
+    }
+    retry_join {
+        leader_api_addr = "https://vault-3:8210"
+        leader_ca_cert_file = "/opt/vault/cacert.pem"
+        leader_client_cert_file = "/opt/vault/tls/tls.crt"
+        leader_client_key_file = "/opt/vault/tls/tls.key"
+    }
+}
+
+# path of plugin binaries
+plugin_directory = "/opt/vault/plugins"
+
+# override via env var VAULT_API_ADDR
+api_addr = "https://vault:8210"
+# override via env var VAULT_CLUSTER_ADDR
+cluster_addr = "https://vault:8211"

vault/enclave-key.pem

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAwDrEJDyGnIGv/xWF4/MQtVEshpft/xGECSdjuHOU87nwCWon
+hirmOyggPPU772tobmaqRhAMHn0NwvRyFCQcSwTIjd0e/cfwH/QtEd/fp4yaw/z7
+FZmesTm+wjaobnRfPwrNHAfM8U2EQPXp1yYyjUqPVEXb/7ivdR+u7qnb0o6oNfzA
+ibRF6H+Fozj5FwepfbQ1DTauTEwdjywD+/21W+Ru5qF7SQVHYwf9OuyD4yZBm9os
+0Aqnk1nO6ZUSJfrL1gd10LoblnPUjNxwQtWhxIPyeKRYwmVpoaYL45U+6iNOkBiL
+PyGJDC+lq+AS8YtwzPOt3pUUpFh/XZyxSHla3Q8qPAikjcv1DvTiK+NVEVXoFrbs
+/uG6Ii9BSRbZ3NQH1bOLtdkW7W6GPGCMr/KuXEvIQaOpDb27/DEtvCh3T/9vrKsO
+etpTI0an6NZ1oshZ3X2TxZ9nNxh9zMvPswXBdy9O9/WybAN6a1PvIb3v66bxJW6T
+Pu87/q0DKzeMM20pAgEDAoIBgQCAJy1tfa8TAR//Y66X92B44MhZup6qC61bb5fQ
+TQ330Uqw8W+ux0QncBV9+NKfnPBJmcbZYAgUU16B+EwNbWgyAzBek2n+hUq/+B4L
+6pUaXbyCqKdju78g0SnWzxr0TZTUsd4Sr932M62Ao/E6GXcI3F+Ng+f/0HT4v8n0
+cT03CcV5UysGeC6a/65s0KYPWnD+eCNeJHQy3WkKHVf9U849QvSZwPzbWNpCBVN8
+na1CGYESkXM1XG+3kTSbuLbD/Ia8KvGsaOeVORvhXr04kD9qW2ioaisSAcXELHY7
+qFcktM1cYnDJn1/LcCH6tUlnJdGIKWYlbBcmJvhT2FqpULg5IPldNiu9ybh5yQY9
+HB0pnzg6Ldcb/aunyjdwXgcaPgdkOOpnqRYGq6yrmWk6WsnNMK/QFmgxadbfOU0i
+xjSrSYVItugHwOrH2eH842jBP2wbe1UJCOrKNytzZ3mBcb0RJbbFYjV0QzdPeVTN
+Y9ermQTt29tJVrd+Emzo8CK4+gMCgcEA4sXchskGNcoChkDpAqie0W2YLm2XDyPY
+CoiA+OVLc5lDd995Vqe2kCIC8VMMGIHhxG3NIqxrfxpH5LvqDczphyH6dlWl/O2M
+CrS/67NjCTm6935ADeR0qndYdMm5XyfYEjl5qESoq4oNq4Pg/0/P1Q/mhN8GQiKb
+qYAIHE/28dw1tsF6Kl7oqALpBXLQ/iRuFqJmrSPgQ32c5bEQUBD3F7HZq8T7V+O2
+7/jH8A1A2XddnddIe6fTqboFsghcPAHrAoHBANkBLsdTugDUKDSNa2tUo9ONPU2X
+gRg+6PDa2ZEzcL961w2laLoKwsrlb8J9GL5Q1LxHx4PGhmwDwvscPzyzXQA7ubnh
+vPQv1E2SmOSFxkmtWMfz6kcAw/wIlavAFdZPJK0ksnIWzTfi9Y92jdkar9Ny2gSj
+BoF8XgPbMeuvMV008gjXOETaCk986+gOh4LEyZ2iLYruJsRIH7n/iSDKLsXE4yQd
+ZuW68IQlJ/2a65DKDCLNgdVFVRfXWhvG++H0OwKBwQCXLpMEhgQj3AGu1fCscGng
+87rJnmS0wpAHBatQmNz3u4JP6lDkb88KwVdLjLK7AUEtnojByEeqEYVDJ/FeiJuv
+a/xO48P987KxzdVHzOyw0SdPqYAJQvhxpOWjMSY/b+Vhe6ZwLcXHsV5yV+tU39/j
+X+8DP1mBbGfGVVq9iqShPXkkgPwcP0XFV0YDoeCpbZ65wZnIwpWCU73udgrgC09l
+ITvH2KeP7SSf+y/1Xis7pOkT5Nr9Go0b0VkhWugoAUcCgcEAkKt0hOJ8AI1wIwjy
+R43CjQjTiQ+rZX9F9ec7tiJLKlHks8ObJrHXMe5Kgai7KYs4fYUvrS8ESAKB/L1/
+fczoqtJ70UEoosqNiQxl7a6EMR47L/fxhKstUrBjx9Vj5DTDHhh29rneJUH5Ck8J
+O2cf4kyRWGyvAP2UApIhR8og6M32sI962JFcNP3ymrRaVy3bvmweXJ7Egtq/0VUG
+FdwfLoNCGBOZ7nygWBjFU7ydCzFdbIkBONjjZTo8EoSn6/gnAoHBAJ/XSbhoVzkI
+CgW7gXSp+qKMhtbR2QawL3006KfQbK/sdcJ0Cyd4IfHXswrFQKV4BrL4tOxay1PT
+HoQZW5+pLTbZjz3d0tDU9WpSd6FNovoxB6lUA3ymD4ay8Zysy3FflNqOSO6XkwKq
+0GApQ6pIiDTst+LpnfgvQBDAnJXK3Hik2wDgXThXEofUoMDcGNsQ+NbdackR7/yL
+8ep5ZLAhczGi4XE471ut48CHtxKq0eGde/lHx0Origk9PPbsNoH2XA==
+-----END RSA PRIVATE KEY-----

vault/start.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+if [ ! -f /opt/vault/tls/tls.ok ]; then
+  # Generate the TLS certificates
+  cd /opt/vault/tls
+  cp ../cacert.pem ../cakey.pem ../vault-csr.conf .
+  openssl req -new -newkey rsa:4096 -keyout tls.key -out vault.csr \
+                   -config vault-csr.conf -extensions v3_req
+  openssl x509 -req -in vault.csr -days 365 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \
+                   -out tls_single.crt -extensions v3_req -extfile vault-csr.conf
+  cat tls_single.crt cacert.pem >> tls.crt
+  echo ok > tls.ok
+fi
+cd /opt/vault
+
+# Start the vault server
+exec vault server -config=/opt/vault/config.hcl -log-level=trace

vault/vault-csr.conf

@@ -0,0 +1,21 @@
+[req]
+default_bits = 4096
+prompt = no
+encrypt_key = no
+default_md = sha256
+distinguished_name = kubelet_serving
+req_extensions = v3_req
+x509_extensions = v3_req
+[ kubelet_serving ]
+O = system:nodes
+CN = system:node
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+[alt_names]
+IP.1 = 127.0.0.1
+DNS.1 = vault-1
+DNS.2 = vault-2
+DNS.3 = vault-3

vault/vault.manifest.toml

@@ -0,0 +1,69 @@
+libos.entrypoint = "/bin/bash"
+
+[loader]
+entrypoint = "file:{{ gramine.libos }}"
+argv = ["bash", "/opt/vault/start.sh"]
+# set a log level for gramine
+log_level = "{{ log_level }}"
+
+[loader.env]
+LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}"
+PATH = "{{ execdir }}"
+
+VAULT_CLUSTER_ADDR.passthrough = true
+VAULT_API_ADDR.passthrough = true
+VAULT_RAFT_NODE_ID.passthrough = true
+
+# otherwise vault will lock a lot of unused EPC memory
+VAULT_RAFT_INITIAL_MMAP_SIZE = "0"
+
+# possible tweak option, if problems with raft
+# VAULT_RAFT_DISABLE_MAP_POPULATE = "true"
+
+[fs]
+root.uri = "file:/"
+start_dir = "/root"
+mounts = [
+  { path = "{{ execdir }}", uri = "file:{{ execdir }}" },
+  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
+  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
+  { type = "tmpfs", path = "/var/tmp" },
+  { type = "tmpfs", path = "/tmp" },
+  { type = "tmpfs", path = "/app/.dcap-qcnl" },
+  { type = "tmpfs", path = "/app/.az-dcap-client" },
+  { path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
+  { type = "encrypted", path = "/opt/vault/.cache", uri = "file:/opt/vault/.cache", key_name = "_sgx_mrsigner" },
+  { type = "encrypted", path = "/opt/vault/tls", uri = "file:/opt/vault/tls", key_name = "_sgx_mrsigner" },
+  { type = "encrypted", path = "/opt/vault/data", uri = "file:/opt/vault/data", key_name = "_sgx_mrsigner" },
+]
+
+[sgx]
+debug = false
+edmm_enable = false
+enclave_size = "8G"
+max_threads = 64
+nonpie_binary = true
+remote_attestation = "dcap"
+
+trusted_files = [
+  "file:/bin/bash",
+  "file:{{ gramine.libos }}",
+  "file:{{ execdir }}/",
+  "file:{{ gramine.runtimedir() }}/",
+  "file:{{ arch_libdir }}/",
+  "file:/usr/{{ arch_libdir }}/",
+  "file:/usr/lib/ssl/openssl.cnf",
+  "file:/etc/ssl/",
+  "file:/lib/libdcap_quoteprov.so",
+  "file:/opt/vault/",
+]
+
+#file_check_policy = "allow_all_but_log"
+
+[sys]
+stack.size = "1M"
+enable_extra_runtime_domain_names_conf = true
+enable_sigterm_injection = true
+
+# vault needs flock
+experimental__enable_flock = true