feat: Add security-bootstrap-redis service

andresrinivasan · andresrinivasan · commit 8cf134df0450 · 2020-10-27T22:00:38.000Z
Signed-off-by: André Srinivasan &lt;andre@redislabs.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -84,3 +84,5 @@ support-notifications-client/
 support-notifications/
 support-rulesengine/
 support-scheduler/
+
+docker-compose-nexus-dev.yml
diff --git a/compose-builder/README.md b/compose-builder/README.md
@@ -61,8 +61,6 @@ This folder contains the following environment files:
     This file contains the common environment overrides used by all Edgex services.
 - **common-security.env**
     This file contains the common security related environment overrides used by many Edgex services.
-- **database-security.env**
-    This file contains the database specific security related environment overrides used by a few Edgex services.
 
 ### Makefile
 
diff --git a/compose-builder/add-security.yml b/compose-builder/add-security.yml
@@ -71,8 +71,6 @@ services:
     image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
     container_name: edgex-secrets-setup
     hostname: edgex-secrets-setup
-    env_file:
-      - database-security.env
     read_only: true
     tmpfs:
       - /tmp
@@ -87,8 +85,6 @@ services:
     image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
     container_name: edgex-vault-worker
     hostname: edgex-vault-worker
-    env_file:
-      - database-security.env
     environment:
       SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
     read_only: true
@@ -106,6 +102,28 @@ services:
       - consul
       - vault
 
+  security-bootstrap-database:
+    image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-bootstrap-redis-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
+    container_name: edgex-security-bootstrap-database
+    hostname: edgex-security-bootstrap-database
+    env_file:
+      - common.env
+      - common-security.env
+    environment:
+      SERVICE_HOST: edgex-security-bootstrap-redis
+    read_only: true
+    networks:
+      - edgex-network
+    tmpfs:
+      - /run
+      - /vault
+    volumes:
+      - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
+      - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
+    depends_on:
+      - vault-worker
+      - database
+
 # containers for reverse proxy
   kong-db:
     image: postgres:${POSTGRES_VERSION}
@@ -228,19 +246,6 @@ services:
 # end of containers for reverse proxy
 
   database:
-    env_file:
-      - database-security.env
-    command: |
-      /bin/sh -c "
-      until [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME} ]; do sleep 1; done
-      exec /usr/local/bin/docker-entrypoint.sh --requirepass `cat $${REDIS5_PASSWORD_PATHNAME}` \
-        --dir /data \
-        --save 900 1 \
-        --save 300 10 \
-        --save 60 10000
-      "
-    volumes:
-      - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
     depends_on:
       - vault-worker
 
@@ -254,6 +259,7 @@ services:
       - /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   metadata:
     env_file:
@@ -265,6 +271,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   data:
     env_file:
@@ -276,6 +283,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   command:
     env_file:
@@ -287,6 +295,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   scheduler:
     env_file:
@@ -298,3 +307,4 @@ services:
       - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
diff --git a/compose-builder/database-security.env b/compose-builder/database-security.env
diff --git a/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml b/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml
@@ -63,6 +63,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -120,6 +121,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -150,10 +152,6 @@ services:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
   database:
-    command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\
-      \ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\
-      \ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n  --dir /data \\\n  --save 900 1 \\\
-      \n  --save 300 10 \\\n  --save 60 10000\n\"\n"
     container_name: edgex-redis
     depends_on:
     - vault-worker
@@ -168,7 +166,6 @@ services:
       CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
       DATABASES_PRIMARY_HOST: edgex-redis
       EDGEX_SECURITY_SECRET_STORE: "false"
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       REGISTRY_HOST: edgex-core-consul
     hostname: edgex-redis
     image: redis:6.0-alpine
@@ -179,7 +176,6 @@ services:
     read_only: true
     volumes:
     - db-data:/data:z
-    - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
   device-rest:
     container_name: edgex-device-rest
     depends_on:
@@ -356,6 +352,7 @@ services:
     - consul
     - database
     - notifications
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -390,6 +387,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -442,6 +440,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -472,11 +471,41 @@ services:
     volumes:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
+  security-bootstrap-database:
+    container_name: edgex-security-bootstrap-database
+    depends_on:
+    - database
+    - vault-worker
+    environment:
+      CLIENTS_COMMAND_HOST: edgex-core-command
+      CLIENTS_COREDATA_HOST: edgex-core-data
+      CLIENTS_DATA_HOST: edgex-core-data
+      CLIENTS_METADATA_HOST: edgex-core-metadata
+      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
+      CLIENTS_RULESENGINE_HOST: edgex-kuiper
+      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
+      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
+      DATABASES_PRIMARY_HOST: edgex-redis
+      EDGEX_SECURITY_SECRET_STORE: "true"
+      REGISTRY_HOST: edgex-core-consul
+      SECRETSTORE_HOST: edgex-vault
+      SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
+      SECRETSTORE_SERVERNAME: edgex-vault
+      SERVICE_HOST: edgex-security-bootstrap-redis
+    hostname: edgex-security-bootstrap-database
+    image: nexus3.edgexfoundry.org:10004/docker-edgex-security-bootstrap-redis-go-arm64:master
+    networks:
+      edgex-network: {}
+    read_only: true
+    tmpfs:
+    - /run
+    - /vault
+    volumes:
+    - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
+    - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
   security-secrets-setup:
     command: generate
     container_name: edgex-secrets-setup
-    environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
     hostname: edgex-secrets-setup
     image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go-arm64:master
     read_only: true
@@ -553,7 +582,6 @@ services:
     - security-secrets-setup
     - vault
     environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
     hostname: edgex-vault-worker
     image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go-arm64:master
diff --git a/releases/nightly-build/compose-files/docker-compose-nexus.yml b/releases/nightly-build/compose-files/docker-compose-nexus.yml
@@ -63,6 +63,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -120,6 +121,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -150,10 +152,6 @@ services:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
   database:
-    command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\
-      \ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\
-      \ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n  --dir /data \\\n  --save 900 1 \\\
-      \n  --save 300 10 \\\n  --save 60 10000\n\"\n"
     container_name: edgex-redis
     depends_on:
     - vault-worker
@@ -168,7 +166,6 @@ services:
       CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
       DATABASES_PRIMARY_HOST: edgex-redis
       EDGEX_SECURITY_SECRET_STORE: "false"
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       REGISTRY_HOST: edgex-core-consul
     hostname: edgex-redis
     image: redis:6.0-alpine
@@ -179,7 +176,6 @@ services:
     read_only: true
     volumes:
     - db-data:/data:z
-    - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
   device-rest:
     container_name: edgex-device-rest
     depends_on:
@@ -356,6 +352,7 @@ services:
     - consul
     - database
     - notifications
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -390,6 +387,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -442,6 +440,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -472,11 +471,41 @@ services:
     volumes:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
+  security-bootstrap-database:
+    container_name: edgex-security-bootstrap-database
+    depends_on:
+    - database
+    - vault-worker
+    environment:
+      CLIENTS_COMMAND_HOST: edgex-core-command
+      CLIENTS_COREDATA_HOST: edgex-core-data
+      CLIENTS_DATA_HOST: edgex-core-data
+      CLIENTS_METADATA_HOST: edgex-core-metadata
+      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
+      CLIENTS_RULESENGINE_HOST: edgex-kuiper
+      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
+      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
+      DATABASES_PRIMARY_HOST: edgex-redis
+      EDGEX_SECURITY_SECRET_STORE: "true"
+      REGISTRY_HOST: edgex-core-consul
+      SECRETSTORE_HOST: edgex-vault
+      SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
+      SECRETSTORE_SERVERNAME: edgex-vault
+      SERVICE_HOST: edgex-security-bootstrap-redis
+    hostname: edgex-security-bootstrap-database
+    image: nexus3.edgexfoundry.org:10004/docker-edgex-security-bootstrap-redis-go:master
+    networks:
+      edgex-network: {}
+    read_only: true
+    tmpfs:
+    - /run
+    - /vault
+    volumes:
+    - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
+    - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
   security-secrets-setup:
     command: generate
     container_name: edgex-secrets-setup
-    environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
     hostname: edgex-secrets-setup
     image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go:master
     read_only: true
@@ -553,7 +582,6 @@ services:
     - security-secrets-setup
     - vault
     environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
     hostname: edgex-vault-worker
     image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go:master
