security-secretstore-setup

command
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

README

EdgeX Foundry Security Service - Security Secretstore Setup

license

Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). The container relies on the security-secrets-setup container to create the PKI, fork/execs security-file-token-provider to create the tokens, and adds shared secrets to Vault itself.

Build

Use the Makefile in the root directory of the repository to build security-secrets-setup:

make cmd/security-secretstore-setup/security-secretstore-setup

This will create an executable located at cmd/security-secretstore-setup/ if successful.

Run security-secretstore-setup with different parameters

The binary supports multiple command line parameters

Parameter Description
-p, --profile name Indicate configuration profile other than default
-r, --registry Indicates service should use Registry
--insecureSkipVerify=true/false Indicates if skipping the server side SSL cert verifcation, similar to -k of curl
--configfile=file.toml Use a different config file (default: res/configuration.toml)
--vaultInterval=seconds Required Indicates how long the program will pause between vault initialization attempts until it succeeds

An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml

Docker Build

Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup:

make docker_security_secretstore_setup

It should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev if sucessfully built.

Debugging Tips

  • The RevokeRootTokens in cmd/security-secretstore-setup/res/configuration.toml controls whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. If you want to debug either security-secretstore-setup or security-secrets-setup, set this to false:

    [SecretService]
...
RevokeRootTokens = false

  • The edgex-vault-worker uses compose-files_vault-config volume to store its token. To copy the root token from edgex-vault-worker, use

    docker run --rm -v compose-files_vault-config:/vault/config alpine:latest cat /vault/config/assets/resp-init.json > resp-init.json

  • To verify the root token

    docker exec -ti edgex-vault sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
vault token lookup

    where s.xxxxxxxxxxxxxxxx is the root_token member of resp-init.json

    Note if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.

  • To explore the vault

    docker exec -ti edgex-vault sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
vault kv list secret/

    and drill down from there. To read a key use vault kv get or vault read.

    docker exec -ti edgex-vault sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
vault kv get /secret/edgex/redis/redis5

    Note you can set the environment variables on the docker command line with -e and avoid the additional shell commands.

    docker exec -e VAULT_SKIP_VERIFY=true ...

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.