Date: Thu, 19 Sep 2024 01:02:06 GMT From: Vladimir Druzenko <vvd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: a9cd810269d1 - main - security/openbao: New port: open source, community-driven fork of Vault Message-ID: <202409190102.48J126L7072485@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by vvd: URL: https://cgit.FreeBSD.org/ports/commit/?id=a9cd810269d14464f96a966c1fb9ee8fb46e937c commit a9cd810269d14464f96a966c1fb9ee8fb46e937c Author: jake <jake@metalrip.com> AuthorDate: 2024-09-19 01:00:38 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-09-19 01:00:38 +0000 security/openbao: New port: open source, community-driven fork of Vault OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. The OpenBao community intends to provide this software under an OSI-approved open-source license, led by a community run under open governance principles. https://openbao.org https://github.com/openbao/openbao PR: 280619 --- GIDs | 2 +- UIDs | 2 +- security/Makefile | 1 + security/openbao/Makefile | 43 +++++++++++++++++ security/openbao/distinfo | 15 ++++++ security/openbao/files/openbao.in | 89 +++++++++++++++++++++++++++++++++++ security/openbao/files/pkg-message.in | 25 ++++++++++ security/openbao/pkg-descr | 4 ++ 8 files changed, 179 insertions(+), 2 deletions(-) diff --git a/GIDs b/GIDs index f1ee5df2c001..141d231797f1 100644 --- a/GIDs +++ b/GIDs @@ -422,7 +422,7 @@ prometheus:*:478: alertmanager:*:479: datadog:*:480: promxy:*:481: -# free: 482 +openbao:*:482: # free: 483 # free: 484 # free: 485 diff --git a/UIDs b/UIDs index f08bffe259fb..ce212d8f54c8 100644 --- a/UIDs +++ b/UIDs @@ -427,7 +427,7 @@ prometheus:*:478:478::0:0:Prometheus Daemon:/var/tmp/prometheus:/usr/sbin/nologi alertmanager:*:479:479::0:0:Alertmanager Daemon:/var/tmp/alertmanager:/usr/sbin/nologin datadog:*:480:480::0:0:DataDog Agent:/var/db/datadog:/usr/sbin/nologin promxy:*:481:481::0:0:Promxy Daemon:/nonexistent:/usr/sbin/nologin -# free: 482 +openbao:*:482:482:daemon:0:0:OpenBao Daemon:/nonexistent:/usr/sbin/nologin # free: 483 # free: 484 # free: 485 diff --git a/security/Makefile b/security/Makefile index a467e32175b7..7bb427dbe75c 100644 --- a/security/Makefile +++ b/security/Makefile @@ -427,6 +427,7 @@ SUBDIR += olm SUBDIR += onionscan SUBDIR += op + SUBDIR += openbao SUBDIR += openbsm SUBDIR += openca-ocspd SUBDIR += openconnect diff --git a/security/openbao/Makefile b/security/openbao/Makefile new file mode 100644 index 000000000000..d51626734576 --- /dev/null +++ b/security/openbao/Makefile @@ -0,0 +1,43 @@ +PORTNAME= openbao +DISTVERSIONPREFIX= v +DISTVERSION= 2.0.1 +CATEGORIES= security +MASTER_SITES+= https://raw.githubusercontent.com/${PORTNAME}/${PORTNAME}/${DISTVERSIONFULL}/ +DISTFILES= go.mod \ + api/go.mod \ + api/auth/approle/go.mod \ + api/auth/kubernetes/go.mod \ + api/auth/userpass/go.mod \ + sdk/go.mod + +MAINTAINER= jake@metalrip.com +COMMENT= Tool for securely accessing secrets +WWW= https://openbao.org/ + +LICENSE= MPL20 +LICENSE_FILE= ${WRKSRC}/LICENSE + +USES= go:1.22,modules +USE_GITHUB= yes +USE_RC_SUBR= ${PORTNAME} + +GO_MODULE= github.com/${PORTNAME}/${PORTNAME} +GO_TARGET= :${BIN_NAME} +GO_BUILDFLAGS= -ldflags="-s \ + -X ${GO_MODULE}/version.GitCommit=${GITID} \ + -X ${GO_MODULE}/version.BuildDate=${SOURCE_DATE_EPOCH} \ + -X ${GO_MODULE}/version.fullVersion=${DISTVERSION}" + +SUB_FILES= pkg-message +SUB_LIST= USER=${USERS} GROUP=${GROUPS} +USERS= ${PORTNAME} +GROUPS= ${PORTNAME} + +PLIST_FILES= bin/${BIN_NAME} + +BIN_NAME= bao +GITID= 700fe3f27ab1f0ec39ce20c36f6d9d97c9fe6ac3 +SOURCE_DATE_EPOCH= ${TIMEEPOCHNOW:gmtime} +TIMEEPOCHNOW= %Y-%m-%dT%H:%M:%SZ + +.include <bsd.port.mk> diff --git a/security/openbao/distinfo b/security/openbao/distinfo new file mode 100644 index 000000000000..62c87346076f --- /dev/null +++ b/security/openbao/distinfo @@ -0,0 +1,15 @@ +TIMESTAMP = 1726704320 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 07afdd23371122e726777b23ce81437992633589629dcaadc173109f58ba5e98 +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/go.mod) = 18131 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = aae819cfafff9f54e6e58983b0277797a4744df72f7db2e3d81ffac32ce960b6 +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/go.mod) = 1525 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 37d743ea994960230616092168903b7e806607fbda94757b28d646be105bee4c +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/approle/go.mod) = 182 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = cf1312fefbf43849805eb13b283556f500f246635c4f39f459908d854dacf41a +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/kubernetes/go.mod) = 185 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 41994758ed7b2ba521e641b3ea77a46371e748ce675fffd39ed1b87eb64342ec +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/api/auth/userpass/go.mod) = 183 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = df45cdcb8dd0c366f9b49ed401f2a9087a28f8d25fdef627d0998dfca0449eda +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/sdk/go.mod) = 4653 +SHA256 (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 820f9dcc1a42982dbdb87fefceb714e2a9600f5aeeeafcf1ea2509c774d1a42f +SIZE (go/security_openbao/openbao-openbao-v2.0.1_GH0/openbao-openbao-v2.0.1_GH0.tar.gz) = 15762632 diff --git a/security/openbao/files/openbao.in b/security/openbao/files/openbao.in new file mode 100644 index 000000000000..27989dfd3e77 --- /dev/null +++ b/security/openbao/files/openbao.in @@ -0,0 +1,89 @@ +#!/bin/sh + +# PROVIDE: openbao +# REQUIRE: DAEMON +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# openbao_enable (bool): Set it to YES to enable openbao. +# Default is "NO". +# openbao_user (user): Set user to run openbao. +# Default is "%%USER%%". +# openbao_group (group): Set group to run openbao. +# Default is "%%GROUP%%". +# openbao_config (file): Set openbao config file. +# Default is "%%PREFIX%%/etc/openbao.hcl". +# openbao_syslog_output_enable (bool): Set to enable syslog output. +# Default is "NO". See daemon(8). +# openbao_syslog_output_priority (str): Set syslog priority if syslog enabled. +# Default is "info". See daemon(8). +# openbao_syslog_output_facility (str): Set syslog facility if syslog enabled. +# Default is "daemon". See daemon(8). +# openbao_limits_mlock (size): Allowed memorylocked value in size. +# Default is 1024M. + +. /etc/rc.subr + +name=openbao +rcvar=openbao_enable + +load_rc_config $name + +: ${openbao_enable:="NO"} +: ${openbao_user:="%%USER%%"} +: ${openbao_group:="%%GROUP%%"} +: ${openbao_config:="%%PREFIX%%/etc/openbao.hcl"} +: ${openbao_limits_mlock:="1024M"} +: ${openbao_limits:="-l ${openbao_limits_mlock}"} + +DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?) +if [ ${DAEMON} -eq 0 ]; then + : ${openbao_syslog_output_enable:="NO"} + : ${openbao_syslog_output_priority:="info"} + : ${openbao_syslog_output_facility:="daemon"} + if checkyesno openbao_syslog_output_enable; then + openbao_syslog_output_flags="-T ${name}" + + if [ -n "${openbao_syslog_output_priority}" ]; then + openbao_syslog_output_flags="${openbao_syslog_output_flags} -s ${openbao_syslog_output_priority}" + fi + + if [ -n "${openbao_syslog_output_facility}" ]; then + openbao_syslog_output_flags="${openbao_syslog_output_flags} -l ${openbao_syslog_output_facility}" + fi + fi +else + openbao_syslog_output_enable="NO" + openbao_syslog_output_flags="" +fi + +pidfile=/var/run/openbao.pid +procname="%%PREFIX%%/bin/bao" +command="/usr/sbin/daemon" +command_args="-f -t ${name} ${openbao_syslog_output_flags} -p ${pidfile} /usr/bin/env ${openbao_env} ${procname} server -config=${openbao_config}" + +extra_commands="reload monitor" +monitor_cmd=openbao_monitor +start_precmd=openbao_startprecmd +required_files="$openbao_config" + +openbao_monitor() +{ + sig_reload=USR1 + run_rc_command "reload" +} + +openbao_startprecmd() +{ + if [ ! -e ${pidfile} ]; then + install -o ${openbao_user} -g ${openbao_group} /dev/null ${pidfile}; + fi + + if [ ! -d ${openbao_dir} ]; then + install -d -o ${openbao_user} -g ${openbao_group} ${openbao_dir} + fi +} + +run_rc_command "$1" diff --git a/security/openbao/files/pkg-message.in b/security/openbao/files/pkg-message.in new file mode 100644 index 000000000000..31d07d759a13 --- /dev/null +++ b/security/openbao/files/pkg-message.in @@ -0,0 +1,25 @@ +[ +{ type: install + message: <<EOM +The %%USER%% user created by the bao package is now a member of the daemon +class, which will allow it to use mlock() when started by the rc script. This +will not be reflected in systems where the user already exists. Please add the +bao user to the daemon class manually by running: + +pw usermod -L daemon -n %%USER%% + +or delete the user and reinstall the package. + +You may also need to increase memorylocked for the daemon class in +/etc/rc.conf to more than 1024M (the default) or more: + +openbao_limits_mlock="2048M" + +Or to disable mlock, add: + +disable_mlock = 1 + +to %%PREFIX%%/etc/openbao.hcl +EOM +} +] diff --git a/security/openbao/pkg-descr b/security/openbao/pkg-descr new file mode 100644 index 000000000000..4645826c021f --- /dev/null +++ b/security/openbao/pkg-descr @@ -0,0 +1,4 @@ +OpenBao is a tool for securely accessing secrets. A secret is anything that you +want to tightly control access to, such as API keys, passwords, certificates, +and more. OpenBao provides a unified interface to any secret, while providing +tight access control and recording a detailed audit log.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409190102.48J126L7072485>