Skip to content
This repository was archived by the owner on Feb 24, 2021. It is now read-only.

Commit 5674044

Browse files
andresrinivasanandresrinivasan
authored
feat(security): Add security-redis-bootstrap service (#334)
Signed-off-by: André Srinivasan <[email protected]>
1 parent 35483b8 commit 5674044

File tree

6 files changed

+115
-55
lines changed

6 files changed

+115
-55
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,3 +84,5 @@ support-notifications-client/
8484
support-notifications/
8585
support-rulesengine/
8686
support-scheduler/
87+
88+
docker-compose-nexus-dev.yml

compose-builder/README.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,6 @@ This folder contains the following environment files:
6161
This file contains the common environment overrides used by all Edgex services.
6262
- **common-security.env**
6363
This file contains the common security related environment overrides used by many Edgex services.
64-
- **database-security.env**
65-
This file contains the database specific security related environment overrides used by a few Edgex services.
6664

6765
### Makefile
6866

compose-builder/add-security.yml

Lines changed: 31 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -68,11 +68,9 @@ services:
6868
- security-secrets-setup
6969

7070
security-secrets-setup:
71-
image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
71+
image: ${CORE_EDGEX_REPOSITORY}/docker-security-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
7272
container_name: edgex-secrets-setup
7373
hostname: edgex-secrets-setup
74-
env_file:
75-
- database-security.env
7674
read_only: true
7775
tmpfs:
7876
- /tmp
@@ -84,11 +82,9 @@ services:
8482
- /tmp/edgex/secrets:/tmp/edgex/secrets:z
8583

8684
vault-worker:
87-
image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
85+
image: ${CORE_EDGEX_REPOSITORY}/docker-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
8886
container_name: edgex-vault-worker
8987
hostname: edgex-vault-worker
90-
env_file:
91-
- database-security.env
9288
environment:
9389
SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
9490
read_only: true
@@ -106,6 +102,29 @@ services:
106102
- consul
107103
- vault
108104

105+
security-bootstrap-database:
106+
image: ${CORE_EDGEX_REPOSITORY}/docker-security-bootstrap-redis-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
107+
container_name: edgex-security-bootstrap-database
108+
hostname: edgex-security-bootstrap-database
109+
env_file:
110+
- common.env
111+
- common-security.env
112+
environment:
113+
SERVICE_HOST: edgex-security-bootstrap-redis
114+
SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json
115+
read_only: true
116+
networks:
117+
- edgex-network
118+
tmpfs:
119+
- /run
120+
- /vault
121+
volumes:
122+
- /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
123+
- /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
124+
depends_on:
125+
- vault-worker
126+
- database
127+
109128
# containers for reverse proxy
110129
kong-db:
111130
image: postgres:${POSTGRES_VERSION}
@@ -196,7 +215,7 @@ services:
196215
- kong-migrations
197216

198217
edgex-proxy:
199-
image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
218+
image: ${CORE_EDGEX_REPOSITORY}/docker-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
200219
container_name: edgex-proxy
201220
hostname: edgex-proxy
202221
entrypoint: >
@@ -227,23 +246,6 @@ services:
227246

228247
# end of containers for reverse proxy
229248

230-
database:
231-
env_file:
232-
- database-security.env
233-
command: |
234-
/bin/sh -c "
235-
until [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME} ]; do sleep 1; done
236-
exec /usr/local/bin/docker-entrypoint.sh --requirepass `cat $${REDIS5_PASSWORD_PATHNAME}` \
237-
--dir /data \
238-
--save 900 1 \
239-
--save 300 10 \
240-
--save 60 10000
241-
"
242-
volumes:
243-
- /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
244-
depends_on:
245-
- vault-worker
246-
247249
notifications:
248250
env_file:
249251
- common-security.env
@@ -254,6 +256,7 @@ services:
254256
- /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z
255257
depends_on:
256258
- vault-worker
259+
- security-bootstrap-database
257260

258261
metadata:
259262
env_file:
@@ -265,6 +268,7 @@ services:
265268
- /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z
266269
depends_on:
267270
- vault-worker
271+
- security-bootstrap-database
268272

269273
data:
270274
env_file:
@@ -276,6 +280,7 @@ services:
276280
- /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
277281
depends_on:
278282
- vault-worker
283+
- security-bootstrap-database
279284

280285
command:
281286
env_file:
@@ -287,6 +292,7 @@ services:
287292
- /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z
288293
depends_on:
289294
- vault-worker
295+
- security-bootstrap-database
290296

291297
scheduler:
292298
env_file:
@@ -298,3 +304,4 @@ services:
298304
- /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
299305
depends_on:
300306
- vault-worker
307+
- security-bootstrap-database

compose-builder/database-security.env

Lines changed: 0 additions & 1 deletion
This file was deleted.

releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml

Lines changed: 41 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ services:
6363
- consul
6464
- database
6565
- metadata
66+
- security-bootstrap-database
6667
- vault-worker
6768
environment:
6869
CLIENTS_COMMAND_HOST: edgex-core-command
@@ -120,6 +121,7 @@ services:
120121
- consul
121122
- database
122123
- metadata
124+
- security-bootstrap-database
123125
- vault-worker
124126
environment:
125127
CLIENTS_COMMAND_HOST: edgex-core-command
@@ -150,13 +152,7 @@ services:
150152
- /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
151153
- /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
152154
database:
153-
command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\
154-
\ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\
155-
\ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n --dir /data \\\n --save 900 1 \\\
156-
\n --save 300 10 \\\n --save 60 10000\n\"\n"
157155
container_name: edgex-redis
158-
depends_on:
159-
- vault-worker
160156
environment:
161157
CLIENTS_COMMAND_HOST: edgex-core-command
162158
CLIENTS_COREDATA_HOST: edgex-core-data
@@ -168,7 +164,6 @@ services:
168164
CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
169165
DATABASES_PRIMARY_HOST: edgex-redis
170166
EDGEX_SECURITY_SECRET_STORE: "false"
171-
REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
172167
REGISTRY_HOST: edgex-core-consul
173168
hostname: edgex-redis
174169
image: redis:6.0.9-alpine
@@ -179,7 +174,6 @@ services:
179174
read_only: true
180175
volumes:
181176
- db-data:/data:z
182-
- /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
183177
device-rest:
184178
container_name: edgex-device-rest
185179
depends_on:
@@ -263,7 +257,7 @@ services:
263257
SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
264258
SECRETSTORE_SERVERNAME: edgex-vault
265259
hostname: edgex-proxy
266-
image: nexus3.edgexfoundry.org:10004/docker-edgex-security-proxy-setup-go-arm64:master
260+
image: nexus3.edgexfoundry.org:10004/docker-security-proxy-setup-go-arm64:master
267261
networks:
268262
edgex-network: {}
269263
read_only: true
@@ -356,6 +350,7 @@ services:
356350
- consul
357351
- database
358352
- notifications
353+
- security-bootstrap-database
359354
- vault-worker
360355
environment:
361356
CLIENTS_COMMAND_HOST: edgex-core-command
@@ -390,6 +385,7 @@ services:
390385
depends_on:
391386
- consul
392387
- database
388+
- security-bootstrap-database
393389
- vault-worker
394390
environment:
395391
CLIENTS_COMMAND_HOST: edgex-core-command
@@ -442,6 +438,7 @@ services:
442438
depends_on:
443439
- consul
444440
- database
441+
- security-bootstrap-database
445442
- vault-worker
446443
environment:
447444
CLIENTS_COMMAND_HOST: edgex-core-command
@@ -472,13 +469,44 @@ services:
472469
volumes:
473470
- /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
474471
- /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
472+
security-bootstrap-database:
473+
container_name: edgex-security-bootstrap-database
474+
depends_on:
475+
- database
476+
- vault-worker
477+
environment:
478+
CLIENTS_COMMAND_HOST: edgex-core-command
479+
CLIENTS_COREDATA_HOST: edgex-core-data
480+
CLIENTS_DATA_HOST: edgex-core-data
481+
CLIENTS_METADATA_HOST: edgex-core-metadata
482+
CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
483+
CLIENTS_RULESENGINE_HOST: edgex-kuiper
484+
CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
485+
CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
486+
DATABASES_PRIMARY_HOST: edgex-redis
487+
EDGEX_SECURITY_SECRET_STORE: "true"
488+
REGISTRY_HOST: edgex-core-consul
489+
SECRETSTORE_HOST: edgex-vault
490+
SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
491+
SECRETSTORE_SERVERNAME: edgex-vault
492+
SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json
493+
SERVICE_HOST: edgex-security-bootstrap-redis
494+
hostname: edgex-security-bootstrap-database
495+
image: nexus3.edgexfoundry.org:10004/docker-security-bootstrap-redis-go-arm64:master
496+
networks:
497+
edgex-network: {}
498+
read_only: true
499+
tmpfs:
500+
- /run
501+
- /vault
502+
volumes:
503+
- /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
504+
- /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
475505
security-secrets-setup:
476506
command: generate
477507
container_name: edgex-secrets-setup
478-
environment:
479-
REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
480508
hostname: edgex-secrets-setup
481-
image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go-arm64:master
509+
image: nexus3.edgexfoundry.org:10004/docker-security-secrets-setup-go-arm64:master
482510
read_only: true
483511
tmpfs:
484512
- /tmp
@@ -553,10 +581,9 @@ services:
553581
- security-secrets-setup
554582
- vault
555583
environment:
556-
REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
557584
SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
558585
hostname: edgex-vault-worker
559-
image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go-arm64:master
586+
image: nexus3.edgexfoundry.org:10004/docker-security-secretstore-setup-go-arm64:master
560587
networks:
561588
edgex-network: {}
562589
read_only: true

0 commit comments

Comments
 (0)