Categorygithub.com/edgexfoundry/edgex-gocmdsecurity-secretstore-setup
package
4.1.0-dev.63+incompatible
Repository: https://github.com/edgexfoundry/edgex-go.git
Documentation: pkg.go.dev
Overview
Dependencies
3
Dependents
0

# README

EdgeX Foundry Security Service - Security Secretstore Setup

license

Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). Prior to the Ireland release, the container relies on the security-secrets-setup container to create the PKI, in which the requirements of TLS in a single box are no more. security-secretstore-setup service also fork/execs security-file-token-provider to create the tokens, and adds shared secrets to Vault itself.

Build

Use the Makefile in the root directory of the repository to build security-secretstore-setup:

make cmd/security-secretstore-setup/security-secretstore-setup

This will create an executable located at cmd/security-secretstore-setup/ if successful.

Run security-secretstore-setup with different parameters

The binary supports multiple command line parameters

ParameterDescription
-p, --profile nameIndicate configuration profile other than default
-r, --registryIndicates service should use Registry
--insecureSkipVerify=true/falseIndicates if skipping the server side SSL cert verifcation, similar to -k of curl
--configfile=file.yamlUse a different config file (default: res/configuration.yaml)
--secretStoreInterval=secondsRequired Indicates how long the program will pause between secret store initialization attempts until it succeeds

An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml

Docker Build

Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup:

make docker_security_secretstore_setup

It should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev if sucessfully built.

Debugging Tips

  • The RevokeRootTokens in cmd/security-secretstore-setup/res/configuration.yaml controls whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. If you want to debug security-secretstore-setup, set this to false:

    SecretStore
...
  RevokeRootTokens = false

  • The edgex-vault-worker uses compose-files_secret-store-config volume to store its token. To copy the root token from edgex-vault-worker, use

    docker run --rm -v compose-secret-store-config:/openbao/config alpine:latest cat /openbao/config/assets/resp-init.json > resp-init.json

  • To verify the root token

    docker exec -ti edgex-secret-store sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
bao token lookup

    where s.xxxxxxxxxxxxxxxx is the root_token member of resp-init.json

    Note if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.

  • To explore the vault

    docker exec -ti edgex-secret-store sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
bao kv list secret/

    and drill down from there. To read a key use bao kv get or bao read.

    docker exec -ti edgex-secret-store sh -l
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
bao kv get /secret/edgex/redis/redis5

    Note you can set the environment variables on the docker command line with -e and avoid the additional shell commands.

    docker exec -e VAULT_SKIP_VERIFY=true ...