# Copyright IBM Corp. 2019, 2026 # SPDX-License-Identifier: MIT # Start vault server locally for the purposes of integration tests. version: "3.0" services: vault: image: hashicorp/vault:2.0.0 environment: VAULT_DEV_ROOT_TOKEN_ID: testtoken SKIP_SETCAP: "true" VAULT_LOCAL_CONFIG: '{"disable_mlock": true}' ports: - 8200:8200 privileged: true healthcheck: test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"] interval: 1s timeout: 5s retries: 5 vault-enterprise: image: hashicorp/vault-enterprise:2.0-ent environment: VAULT_DEV_ROOT_TOKEN_ID: testtoken VAULT_LICENSE: ${VAULT_LICENSE_CI} SKIP_SETCAP: "true" VAULT_LOCAL_CONFIG: '{"disable_mlock": true}' ports: - 8200:8200 privileged: true healthcheck: test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"] interval: 1s timeout: 5s retries: 30 vault-tls: image: hashicorp/vault:2.0.0 hostname: vault-tls environment: # Used by the vault CLI in the healthcheck to trust the CA VAULT_CAPATH: /etc/vault/ca.crt SKIP_SETCAP: "true" VAULT_LOCAL_CONFIG: '{"disable_mlock": true}' ports: - 8200:8200 privileged: true healthcheck: # Exit 2 means sealed-but-running, which is acceptable during startup test: - CMD-SHELL - | export VAULT_ADDR=https://127.0.0.1:8200 VAULT_CACERT=/etc/vault/ca.crt VAULT_CLIENT_CERT=/etc/vault/client.crt VAULT_CLIENT_KEY=/etc/vault/client.key vault status; s=$$?; [ $$s -eq 0 ] || [ $$s -eq 2 ] interval: 1s timeout: 5s retries: 30 volumes: # Certs generated by scripts/gen-tls-certs.sh into .build/certs/ - ${PWD}/.build/certs:/etc/vault # tmpfs gives the non-root vault user write access without chown tricks; # ephemeral storage is fine since tests always reinitialize vault from scratch tmpfs: /var/lib/vault entrypoint: vault server -config=/etc/vault/config.hcl