README
¶
EdgeX Foundry Security Service - Security Secretstore Setup
Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). Prior to the Ireland release, the container relies on the security-secrets-setup container to create the PKI, in which the requirements of TLS in a single box are no more. security-secretstore-setup service also fork/execs security-file-token-provider to create the tokens, and adds shared secrets to Vault itself.
Build
Use the Makefile in the root directory of the repository to build security-secretstore-setup:
make cmd/security-secretstore-setup/security-secretstore-setup
This will create an executable located at cmd/security-secretstore-setup/ if successful.
Run security-secretstore-setup with different parameters
The binary supports multiple command line parameters
| Parameter | Description |
|---|---|
-p, --profile name |
Indicate configuration profile other than default |
| -r, --registry | Indicates service should use Registry |
--insecureSkipVerify=true/false |
Indicates if skipping the server side SSL cert verifcation, similar to -k of curl |
--configfile=file.yaml |
Use a different config file (default: res/configuration.yaml) |
--secretStoreInterval=seconds |
Required Indicates how long the program will pause between secret store initialization attempts until it succeeds |
An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml
Docker Build
Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup:
make docker_security_secretstore_setup
It should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev if sucessfully built.
Debugging Tips
-
The RevokeRootTokens in
cmd/security-secretstore-setup/res/configuration.yamlcontrols whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. If you want to debugsecurity-secretstore-setup, set this to false:SecretStore ... RevokeRootTokens = false -
The edgex-vault-worker uses compose-files_secret-store-config volume to store its token. To copy the root token from edgex-vault-worker, use
docker run --rm -v compose-secret-store-config:/openbao/config alpine:latest cat /openbao/config/assets/resp-init.json > resp-init.json -
To verify the root token
docker exec -ti edgex-secret-store sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx bao token lookupwhere
s.xxxxxxxxxxxxxxxxis the root_token member ofresp-init.jsonNote if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.
-
To explore the vault
docker exec -ti edgex-secret-store sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx bao kv list secret/and drill down from there. To read a key use
bao kv getorbao read.docker exec -ti edgex-secret-store sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx bao kv get /secret/edgex/redis/redis5Note you can set the environment variables on the docker command line with
-eand avoid the additional shell commands.docker exec -e VAULT_SKIP_VERIFY=true ...
Documentation
¶
There is no documentation for this package.
Source Files