README ¶
EdgeX Foundry Security Service - Security Secretstore Setup
Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). The container relies on the security-secrets-setup
container to create the PKI, fork/execs security-file-token-provider to create the tokens, and adds shared secrets to Vault itself.
Build
Use the Makefile in the root directory of the repository to build security-secrets-setup:
make cmd/security-secretstore-setup/security-secretstore-setup
This will create an executable located at cmd/security-secretstore-setup/
if successful.
Run security-secretstore-setup with different parameters
The binary supports multiple command line parameters
Parameter | Description |
---|---|
-p, --profile name |
Indicate configuration profile other than default |
-r, --registry | Indicates service should use Registry |
--insecureSkipVerify=true/false |
Indicates if skipping the server side SSL cert verifcation, similar to -k of curl |
--configfile=file.toml |
Use a different config file (default: res/configuration.toml) |
--vaultInterval=seconds |
Required Indicates how long the program will pause between vault initialization attempts until it succeeds |
An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml
Docker Build
Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup
:
make docker_security_secretstore_setup
It should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev
if sucessfully built.
Debugging Tips
-
The RevokeRootTokens in
cmd/security-secretstore-setup/res/configuration.toml
controls whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. If you want to debug either security-secretstore-setup or security-secrets-setup, set this to false:[SecretService] ... RevokeRootTokens = false
-
The edgex-vault-worker uses compose-files_vault-config volume to store its token. To copy the root token from edgex-vault-worker, use
docker run --rm -v compose-files_vault-config:/vault/config alpine:latest cat /vault/config/assets/resp-init.json > resp-init.json
-
To verify the root token
docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault token lookup
where
s.xxxxxxxxxxxxxxxx
is the root_token member ofresp-init.json
Note if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.
-
To explore the vault
docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault kv list secret/
and drill down from there. To read a key use
vault kv get
orvault read
.docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault kv get /secret/edgex/redis/redis5
Note you can set the environment variables on the docker command line with
-e
and avoid the additional shell commands.docker exec -e VAULT_SKIP_VERIFY=true ...
Documentation ¶
There is no documentation for this package.