Add the HashiCorp Vault demo

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-04-14 14:54:02 -04:00 · 2021-04-14 14:54:02 -04:00 · 0f23ddb14e
commit 0f23ddb14e
parent 47349c8d1b
5 changed files with 124 additions and 0 deletions
--- a/.github/workflows/demo_test.yml
+++ b/.github/workflows/demo_test.yml
@ -479,3 +479,33 @@ jobs:
      run: |
        sleep ${{ env.nap_time }};
        docker exec enclave_ra_tls_test bash -c "/opt/enclave-tls/bin/enclave-tls-client"
+
+  vault_test:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v1
+      with:
+        submodules: true
+
+    - name: Get occlum version
+      run: echo "OCCLUM_VERSION=$(grep "Version =" src/pal/include/occlum_version.h |  awk '{print $4}')" >> $GITHUB_ENV
+
+    - name: Create container
+      run: docker run -itd --name=vault_test -v $GITHUB_WORKSPACE:/root/occlum occlum/occlum:${{ env.OCCLUM_VERSION }}-ubuntu18.04
+
+    - name: Build dependencies
+      run: docker exec vault_test bash -c "cd /root/occlum; make submodule"
+
+    - name: Make install
+      run: docker exec vault_test bash -c "cd /root/occlum; OCCLUM_RELEASE_BUILD=y make install"
+
+    - name: Download and build HashiCorp Vault
+      run: docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && ./prepare_vault.sh"
+
+    - name: Run the Vault server on Occlum
+      run: docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && SGX_MODE=SIM ./run_occlum_vault_server.sh"
+
+    - name: Run the Vault client
+      run: |
+        sleep ${{ env.nap_time }};
+        docker exec vault_test bash -c "cd /root/occlum/demos/golang/vault && ./run_occlum_vault_test.sh"
--- a/demos/golang/vault/README.md
+++ b/demos/golang/vault/README.md
@ -0,0 +1,19 @@
+# Run HashiCorp Vault with Occlum
+
+This project demonstrates how Occlum enables [HashiCorp Vault](https://github.com/hashicorp/vault) in SGX enclaves.
+
+Step 1: Download Vault source code and build the Vault executable
+```
+./prepare_vault.sh
+```
+Once completed, the resulting Vault source code can be found in the `source_code` directory with the built binary located in `./source_code/bin`.
+
+Step 2: Run Vault server in `dev` mode with a custom initial root token inside SGX enclave with Occlum
+```
+./run_occlum_vault_server.sh
+```
+
+Step 3: In another terminal, run Vault `kv` CLI for interacting with Vault's key/value secrets engine
+```
+./run_occlum_vault_test.sh
+```
--- a/demos/golang/vault/prepare_vault.sh
+++ b/demos/golang/vault/prepare_vault.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+src_dir="./source_code"
+vault="$src_dir/bin/vault"
+
+if [ -f "$vault" ]; then
+    echo "Warning: the current working directory has Vault already downloaded and built"
+    exit 1
+fi
+
+# download the source code of Vault v1.7.0
+wget https://github.com/hashicorp/vault/archive/refs/tags/v1.7.0.tar.gz
+mkdir -p $src_dir && tar -xvzf v1.7.0.tar.gz -C $src_dir --strip-components=1
+
+# build Vault executable
+pushd $src_dir
+occlum-go build -o bin/vault
+popd
--- a/demos/golang/vault/run_occlum_vault_server.sh
+++ b/demos/golang/vault/run_occlum_vault_server.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+BLUE='\033[1;34m'
+NC='\033[0m'
+
+vault="./source_code/bin/vault"
+
+if [ ! -f $vault ];then
+    echo "Error: cannot stat file '$vault'"
+    echo "Please see README and build it using Occlum Golang toolchain"
+    exit 1
+fi
+
+# 1. Init Occlum Workspace
+rm -rf occlum_instance
+occlum new occlum_instance
+cd occlum_instance
+new_json="$(jq '.resource_limits.user_space_size = "2560MB" |
+	.resource_limits.kernel_space_heap_size="320MB" |
+	.resource_limits.kernel_space_stack_size="10MB" |
+	.process.default_stack_size = "40MB" |
+	.process.default_heap_size = "320MB" |
+	.process.default_mmap_size = "960MB" ' Occlum.json)" && \
+echo "${new_json}" > Occlum.json
+
+# 2. Copy executable into Occlum Workspace and build
+cp ../source_code/bin/vault image/bin
+occlum build
+
+# 3. Run the Hashicorp Vault server listening on "127.0.0.1:8200" 
+echo -e "${BLUE}occlum run /bin/vault server -dev -dev-no-store-token -dev-root-token-id mytoken${NC}"
+time occlum run /bin/vault server -dev -dev-no-store-token -dev-root-token-id mytoken &
--- a/demos/golang/vault/run_occlum_vault_test.sh
+++ b/demos/golang/vault/run_occlum_vault_test.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+BLUE='\033[1;34m'
+NC='\033[0m'
+
+vault="./source_code/bin/vault"
+
+if [ ! -f $vault ];then
+    echo "Error: cannot stat file '$vault'"
+    echo "Please see README and build it using Occlum Golang toolchain"
+    exit 1
+fi
+
+# "127.0.0.1:8200" is the address bound to in "dev" mode
+export VAULT_ADDR=http://127.0.0.1:8200
+export VAULT_TOKEN=mytoken
+
+echo -e "${BLUE}$vault kv put secret/creds passcode=occlum${NC}"
+$vault kv put secret/creds passcode=occlum
+
+echo -e "${BLUE}$vault kv get secret/creds${NC}"
+$vault kv get secret/creds