vault-action/docker-compose.yml

# Copyright IBM Corp. 2019, 2025
# SPDX-License-Identifier: MIT

# Start vault server locally for the purposes of integration tests.
version: "3.0"
services:
  vault:
    image: hashicorp/vault:2.0.0
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: testtoken
      SKIP_SETCAP: "true"
      VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
    ports:
      - 8200:8200
    privileged: true
    healthcheck:
      test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"]
      interval: 1s
      timeout: 5s
      retries: 5
  vault-enterprise:
    image: hashicorp/vault-enterprise:2.0-ent
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: testtoken
      VAULT_LICENSE: ${VAULT_LICENSE_CI}
      SKIP_SETCAP: "true"
      VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
    ports:
      - 8200:8200
    privileged: true
    healthcheck:
      test: ["CMD-SHELL", "VAULT_ADDR=http://127.0.0.1:8200 vault status"]
      interval: 1s
      timeout: 5s
      retries: 30
  vault-tls:
    image: hashicorp/vault:2.0.0
    hostname: vault-tls
    environment:
      # Used by the vault CLI in the healthcheck to trust the CA
      VAULT_CAPATH: /etc/vault/ca.crt
      SKIP_SETCAP: "true"
      VAULT_LOCAL_CONFIG: '{"disable_mlock": true}'
    ports:
    - 8200:8200
    privileged: true
    healthcheck:
      # Exit 2 means sealed-but-running, which is acceptable during startup
      test:
        - CMD-SHELL
        - |
          export VAULT_ADDR=https://127.0.0.1:8200 VAULT_CACERT=/etc/vault/ca.crt VAULT_CLIENT_CERT=/etc/vault/client.crt VAULT_CLIENT_KEY=/etc/vault/client.key
          vault status; s=$$?; [ $$s -eq 0 ] || [ $$s -eq 2 ]
      interval: 1s
      timeout: 5s
      retries: 30
    volumes:
    # Certs generated by scripts/gen-tls-certs.sh into .build/certs/
    - ${PWD}/.build/certs:/etc/vault
    # tmpfs gives the non-root vault user write access without chown tricks;
    # ephemeral storage is fine since tests always reinitialize vault from scratch
    tmpfs: /var/lib/vault
    entrypoint: vault server -config=/etc/vault/config.hcl