Manually install vault as its removed from alpine 3.19

example/acme-to-vault.nomad.hcl

@@ -45,7 +45,7 @@ job "acme-to-vault" {
       user   = 8787
 
       config {
-        image           = "danielberteaud/acme-to-vault:23.12-1"
+        image           = "danielberteaud/acme-to-vault:24.1-1"
         readonly_rootfs = true
         pids_limit      = 20
 

example/images/acme-to-vault/Dockerfile

@@ -1,6 +1,22 @@
-FROM danielberteaud/alpine:24.1-1
+FROM danielberteaud/alpine:24.1-2 AS vault
+
+ARG VAULT_VERSION=1.15.4
+
+RUN set -euxo pipefail &&\
+    apk --no-cache add \
+      curl \
+      ca-certificates \
+    &&\
+    cd /tmp &&\
+    curl -sSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip &&\
+    unzip -d /usr/local/bin vault_${VAULT_VERSION}_linux_amd64.zip &&\
+    rm vault_${VAULT_VERSION}_linux_amd64.zip
+
+FROM danielberteaud/alpine:24.1-2
 MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
 
+ARG VAULT_VERSION=1.15.4
+
 ENV ACME_HTTP_PORT=8787 \
     ACME_0_CHALLENGE=http-01 \
     ACME_0_DNS_PROVIDER=gandiv5 \
@@ -10,6 +26,7 @@ ENV ACME_HTTP_PORT=8787 \
     ACME_0_KV_ACCOUNT_ROOT=kv/service/acme-to-vault/account \
     VAULT_ADDR=https://vault.service.example.org:8200
 
+COPY --from=vault /usr/local/bin/vault /usr/local/bin/vault
 RUN set -eu &&\
     apk --no-cache upgrade &&\
     apk --no-cache add \
@@ -18,16 +35,13 @@ RUN set -eu &&\
       ca-certificates \
       tini \
       lego \
-      vault \
       jq \
       supercronic \
-      libcap-utils \
     &&\
     mkdir -p /data &&\
     # Use very open permissions so we can easily mount a tmpfs over /data \
     # A /data/acme subdir will be created with restricted permissions anyway \
-    chmod 777 /data &&\
-    setcap -r /usr/sbin/vault
+    chmod 777 /data
 
 COPY root/ /
 

images/acme-to-vault/Dockerfile

@@ -1,6 +1,22 @@
+FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]] AS vault
+
+ARG VAULT_VERSION=1.15.4
+
+RUN set -euxo pipefail &&\
+    apk --no-cache add \
+      curl \
+      ca-certificates \
+    &&\
+    cd /tmp &&\
+    curl -sSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip &&\
+    unzip -d /usr/local/bin vault_${VAULT_VERSION}_linux_amd64.zip &&\
+    rm vault_${VAULT_VERSION}_linux_amd64.zip
+
 FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
 MAINTAINER [[ .docker.maintainer ]]
 
+ARG VAULT_VERSION=1.15.4
+
 ENV ACME_HTTP_PORT=8787 \
     ACME_0_CHALLENGE=http-01 \
     ACME_0_DNS_PROVIDER=gandiv5 \
@@ -10,6 +26,7 @@ ENV ACME_HTTP_PORT=8787 \
     ACME_0_KV_ACCOUNT_ROOT=kv/service/acme-to-vault/account \
     VAULT_ADDR=https://vault.service.example.org:8200
 
+COPY --from=vault /usr/local/bin/vault /usr/local/bin/vault
 RUN set -eu &&\
     apk --no-cache upgrade &&\
     apk --no-cache add \
@@ -18,16 +35,13 @@ RUN set -eu &&\
       ca-certificates \
       tini \
       lego \
-      vault \
       jq \
       supercronic \
-      libcap-utils \
     &&\
     mkdir -p /data &&\
     # Use very open permissions so we can easily mount a tmpfs over /data \
     # A /data/acme subdir will be created with restricted permissions anyway \
-    chmod 777 /data &&\
-    setcap -r /usr/sbin/vault
+    chmod 777 /data
 
 COPY root/ /
 

variables.yml

@@ -5,7 +5,7 @@ instance: acme-to-vault
 
 acme:
   # The Docker image to use
-  image: '[[ .docker.repo ]]acme-to-vault:23.12-1'
+  image: '[[ .docker.repo ]]acme-to-vault:24.1-1'
 
   # If a cron expression is defined, the service will stay running and renew certs.
   # If an empty string, the container will exit after running once