FROM node:22 AS web-build
RUN git clone -b v2.0.0 https://github.com/openbao/openbao /usr/src/openbao
WORKDIR /usr/src/openbao
RUN make ember-dist

FROM golang:1.23 AS build
RUN git clone -b v2.0.0 https://github.com/openbao/openbao /usr/src/openbao
WORKDIR /usr/src/openbao
COPY --from=web-build /usr/src/openbao/http/web_ui /usr/src/openbao/http/web_ui
RUN make bootstrap
RUN make bin

# Final image based on openbao Dockerfile
FROM alpine:3.20
ARG NAME=openbao

# Create a non-root user to run the software.
RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}

RUN apk add --no-cache libcap su-exec dumb-init tzdata

COPY --from=build /usr/src/openbao/bin/bao /bin/bao

# /vault/logs is made available to use as a location to store audit logs, if
# desired; /vault/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /vault/config as
# the configuration directory so you can add additional config files in that
# location.
RUN mkdir -p /openbao/logs && \
    mkdir -p /openbao/file && \
    mkdir -p /openbao/config && \
    chown -R ${NAME}:${NAME} /openbao

# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/logs

# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/file

# 8200/tcp is the primary interface that applications use to interact with
# OpenBao.
EXPOSE 8200

# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by OpenBao sub-processes.
COPY --from=build /usr/src/openbao/.release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]

# # By default you'll get a single-node development server that stores everything
# # in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]