From 0f23ddb14e056cfe168d7304fcf55170ec2bb9cc Mon Sep 17 00:00:00 2001 From: Kailun Qin Date: Wed, 14 Apr 2021 14:54:02 -0400 Subject: [PATCH] Add the HashiCorp Vault demo Signed-off-by: Kailun Qin --- .github/workflows/demo_test.yml | 30 +++++++++++++++++ demos/golang/vault/README.md | 19 +++++++++++ demos/golang/vault/prepare_vault.sh | 19 +++++++++++ demos/golang/vault/run_occlum_vault_server.sh | 33 +++++++++++++++++++ demos/golang/vault/run_occlum_vault_test.sh | 23 +++++++++++++ 5 files changed, 124 insertions(+) create mode 100644 demos/golang/vault/README.md create mode 100755 demos/golang/vault/prepare_vault.sh create mode 100755 demos/golang/vault/run_occlum_vault_server.sh create mode 100755 demos/golang/vault/run_occlum_vault_test.sh diff --git a/.github/workflows/demo_test.yml b/.github/workflows/demo_test.yml index 4f96866f..03523993 100644 --- a/.github/workflows/demo_test.yml +++ b/.github/workflows/demo_test.yml @@ -479,3 +479,33 @@ jobs: run: | sleep ${{ env.nap_time }}; docker exec enclave_ra_tls_test bash -c "/opt/enclave-tls/bin/enclave-tls-client" + + vault_test: + runs-on: ubuntu-18.04 + steps: + - uses: actions/checkout@v1 + with: + submodules: true + + - name: Get occlum version + run: echo "OCCLUM_VERSION=$(grep "Version =" src/pal/include/occlum_version.h | awk '{print $4}')" >> $GITHUB_ENV + + - name: Create container + run: docker run -itd --name=vault_test -v $GITHUB_WORKSPACE:/root/occlum occlum/occlum:${{ env.OCCLUM_VERSION }}-ubuntu18.04 + + - name: Build dependencies + run: docker exec vault_test bash -c "cd /root/occlum; make submodule" + + - name: Make install + run: docker exec vault_test bash -c "cd /root/occlum; OCCLUM_RELEASE_BUILD=y make install" + + - name: Download and build HashiCorp Vault + run: docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && ./prepare_vault.sh" + + - name: Run the Vault server on Occlum + run: docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && SGX_MODE=SIM ./run_occlum_vault_server.sh" + + - name: Run the Vault client + run: | + sleep ${{ env.nap_time }}; + docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && ./run_occlum_vault_test.sh" diff --git a/demos/golang/vault/README.md b/demos/golang/vault/README.md new file mode 100644 index 00000000..6d8f3018 --- /dev/null +++ b/demos/golang/vault/README.md @@ -0,0 +1,19 @@ +# Run HashiCorp Vault with Occlum + +This project demonstrates how Occlum enables [HashiCorp Vault](https://github.com/hashicorp/vault) in SGX enclaves. + +Step 1: Download Vault source code and build the Vault executable +``` +./prepare_vault.sh +``` +Once completed, the resulting Vault source code can be found in the `source_code` directory with the built binary located in `./source_code/bin`. + +Step 2: Run Vault server in `dev` mode with a custom initial root token inside SGX enclave with Occlum +``` +./run_occlum_vault_server.sh +``` + +Step 3: In another terminal, run Vault `kv` CLI for interacting with Vault's key/value secrets engine +``` +./run_occlum_vault_test.sh +``` diff --git a/demos/golang/vault/prepare_vault.sh b/demos/golang/vault/prepare_vault.sh new file mode 100755 index 00000000..7ee570fd --- /dev/null +++ b/demos/golang/vault/prepare_vault.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +src_dir="./source_code" +vault="$src_dir/bin/vault" + +if [ -f "$vault" ]; then + echo "Warning: the current working directory has Vault already downloaded and built" + exit 1 +fi + +# download the source code of Vault v1.7.0 +wget https://github.com/hashicorp/vault/archive/refs/tags/v1.7.0.tar.gz +mkdir -p $src_dir && tar -xvzf v1.7.0.tar.gz -C $src_dir --strip-components=1 + +# build Vault executable +pushd $src_dir +occlum-go build -o bin/vault +popd diff --git a/demos/golang/vault/run_occlum_vault_server.sh b/demos/golang/vault/run_occlum_vault_server.sh new file mode 100755 index 00000000..1ce83a40 --- /dev/null +++ b/demos/golang/vault/run_occlum_vault_server.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +BLUE='\033[1;34m' +NC='\033[0m' + +vault="./source_code/bin/vault" + +if [ ! -f $vault ];then + echo "Error: cannot stat file '$vault'" + echo "Please see README and build it using Occlum Golang toolchain" + exit 1 +fi + +# 1. Init Occlum Workspace +rm -rf occlum_instance +occlum new occlum_instance +cd occlum_instance +new_json="$(jq '.resource_limits.user_space_size = "2560MB" | + .resource_limits.kernel_space_heap_size="320MB" | + .resource_limits.kernel_space_stack_size="10MB" | + .process.default_stack_size = "40MB" | + .process.default_heap_size = "320MB" | + .process.default_mmap_size = "960MB" ' Occlum.json)" && \ +echo "${new_json}" > Occlum.json + +# 2. Copy executable into Occlum Workspace and build +cp ../source_code/bin/vault image/bin +occlum build + +# 3. Run the Hashicorp Vault server listening on "127.0.0.1:8200" +echo -e "${BLUE}occlum run /bin/vault server -dev -dev-no-store-token -dev-root-token-id mytoken${NC}" +time occlum run /bin/vault server -dev -dev-no-store-token -dev-root-token-id mytoken & diff --git a/demos/golang/vault/run_occlum_vault_test.sh b/demos/golang/vault/run_occlum_vault_test.sh new file mode 100755 index 00000000..314a8e6e --- /dev/null +++ b/demos/golang/vault/run_occlum_vault_test.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -e + +BLUE='\033[1;34m' +NC='\033[0m' + +vault="./source_code/bin/vault" + +if [ ! -f $vault ];then + echo "Error: cannot stat file '$vault'" + echo "Please see README and build it using Occlum Golang toolchain" + exit 1 +fi + +# "127.0.0.1:8200" is the address bound to in "dev" mode +export VAULT_ADDR=http://127.0.0.1:8200 +export VAULT_TOKEN=mytoken + +echo -e "${BLUE}$vault kv put secret/creds passcode=occlum${NC}" +$vault kv put secret/creds passcode=occlum + +echo -e "${BLUE}$vault kv get secret/creds${NC}" +$vault kv get secret/creds