security-secretstore-setup

command
v1.2.2-dev.28 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 22, 2020 License: Apache-2.0 Imports: 3 Imported by: 0

README

EdgeX Foundry Security Service - Security Secretstore Setup

license

Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). The container relies on the security-secrets-setup container to create the PKI, fork/execs security-file-token-provider to create the tokens, adds shared secrets to Vault itself, and then uses security-secretstore-read to share the Redis password with Redis.

Build

Use the Makefile in the root directory of the repository to build security-secrets-setup:

make cmd/security-secretstore-setup/security-secretstore-setup

This will create an executable located at cmd/security-secretstore-setup/ if successful.

Run security-secretstore-setup with different parameters

The binary supports multiple command line parameters

Parameter Description
-p, --profile name Indicate configuration profile other than default
-r, --registry Indicates service should use Registry
--insecureSkipVerify=true/false Indicates if skipping the server side SSL cert verifcation, similar to -k of curl
--configfile=file.toml Use a different config file (default: res/configuration.toml)
--vaultInterval=seconds Required Indicates how long the program will pause between vault initialization attempts until it succeeds

An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml

Docker Build

Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup:

make docker_security_secretstore_setup

It should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev if sucessfully built.

Debugging Tips

  • The RevokeRootTokens in cmd/security-secretstore-setup/res/configuration.toml controls whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. Set this to false if you use edgex-vault-worker to populate the system and then want to debug either security-secretstore-setup or security-secrets-setup.

  • The edgex-vault-worker uses composefiles_vault-config volume to store its token. To copy the root token from edgex-vault-worker, use

    docker run --rm -v composefiles_vault-config:/vault/config alpine:latest cat /vault/config/assets/resp-init.json > resp-init.json
    
  • To verify the root token

    docker exec -ti edgex-vault sh -l
    export VAULT_SKIP_VERIFY=true
    export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
    vault token lookup
    

    where s.xxxxxxxxxxxxxxxx is the root_token member of resp-init.json

    Note if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.

  • To explore the vault

    docker exec -ti edgex-vault sh -l
    export VAULT_SKIP_VERIFY=true
    export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
    vault kv list secret/
    

    and drill down from there. To read a key use vault kv get or vault read.

    docker exec -ti edgex-vault sh -l
    export VAULT_SKIP_VERIFY=true
    export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
    vault kv get /secret/edgex/redis/redis5
    

    Note you can set the environment variables on the docker command line with -e and avoid the additional shell commands.

    docker exec -e VAULT_SKIP_VERIFY=true ...
    

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL