feat(security): Add security-redis-bootstrap service

Signed-off-by: André Srinivasan <[email protected]>

Author: andresrinivasan

.gitignore

@@ -84,3 +84,5 @@ support-notifications-client/
 support-notifications/
 support-rulesengine/
 support-scheduler/
+
+docker-compose-nexus-dev.yml

compose-builder/README.md

@@ -61,8 +61,6 @@ This folder contains the following environment files:
     This file contains the common environment overrides used by all Edgex services.
 - **common-security.env**
     This file contains the common security related environment overrides used by many Edgex services.
-- **database-security.env**
-    This file contains the database specific security related environment overrides used by a few Edgex services.
 
 ### Makefile
 

compose-builder/add-security.yml

@@ -68,11 +68,9 @@ services:
       - security-secrets-setup
 
   security-secrets-setup:
-    image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
+    image: ${CORE_EDGEX_REPOSITORY}/docker-security-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
     container_name: edgex-secrets-setup
     hostname: edgex-secrets-setup
-    env_file:
-      - database-security.env
     read_only: true
     tmpfs:
       - /tmp
@@ -84,11 +82,9 @@ services:
       - /tmp/edgex/secrets:/tmp/edgex/secrets:z
 
   vault-worker:
-    image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
+    image: ${CORE_EDGEX_REPOSITORY}/docker-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
     container_name: edgex-vault-worker
     hostname: edgex-vault-worker
-    env_file:
-      - database-security.env
     environment:
       SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
     read_only: true
@@ -106,6 +102,29 @@ services:
       - consul
       - vault
 
+  security-bootstrap-database:
+    image: ${CORE_EDGEX_REPOSITORY}/docker-security-bootstrap-redis-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
+    container_name: edgex-security-bootstrap-database
+    hostname: edgex-security-bootstrap-database
+    env_file:
+      - common.env
+      - common-security.env
+    environment:
+      SERVICE_HOST: edgex-security-bootstrap-redis
+      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json 
+    read_only: true
+    networks:
+      - edgex-network
+    tmpfs:
+      - /run
+      - /vault
+    volumes:
+      - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
+      - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
+    depends_on:
+      - vault-worker
+      - database
+
 # containers for reverse proxy
   kong-db:
     image: postgres:${POSTGRES_VERSION}
@@ -196,7 +215,7 @@ services:
       - kong-migrations
 
   edgex-proxy:
-    image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
+    image: ${CORE_EDGEX_REPOSITORY}/docker-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV}
     container_name: edgex-proxy
     hostname: edgex-proxy
     entrypoint: >
@@ -227,23 +246,6 @@ services:
 
 # end of containers for reverse proxy
 
-  database:
-    env_file:
-      - database-security.env
-    command: |
-      /bin/sh -c "
-      until [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME} ]; do sleep 1; done
-      exec /usr/local/bin/docker-entrypoint.sh --requirepass `cat $${REDIS5_PASSWORD_PATHNAME}` \
-        --dir /data \
-        --save 900 1 \
-        --save 300 10 \
-        --save 60 10000
-      "
-    volumes:
-      - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
-    depends_on:
-      - vault-worker
-
   notifications:
     env_file:
       - common-security.env
@@ -254,6 +256,7 @@ services:
       - /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   metadata:
     env_file:
@@ -265,6 +268,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   data:
     env_file:
@@ -276,6 +280,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   command:
     env_file:
@@ -287,6 +292,7 @@ services:
       - /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database
 
   scheduler:
     env_file:
@@ -298,3 +304,4 @@ services:
       - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
     depends_on:
       - vault-worker
+      - security-bootstrap-database

compose-builder/database-security.env

@@ -63,6 +63,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -120,6 +121,7 @@ services:
     - consul
     - database
     - metadata
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -150,13 +152,7 @@ services:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
   database:
-    command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\
-      \ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\
-      \ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n  --dir /data \\\n  --save 900 1 \\\
-      \n  --save 300 10 \\\n  --save 60 10000\n\"\n"
     container_name: edgex-redis
-    depends_on:
-    - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
       CLIENTS_COREDATA_HOST: edgex-core-data
@@ -168,7 +164,6 @@ services:
       CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
       DATABASES_PRIMARY_HOST: edgex-redis
       EDGEX_SECURITY_SECRET_STORE: "false"
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       REGISTRY_HOST: edgex-core-consul
     hostname: edgex-redis
     image: redis:6.0.9-alpine
@@ -179,7 +174,6 @@ services:
     read_only: true
     volumes:
     - db-data:/data:z
-    - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z
   device-rest:
     container_name: edgex-device-rest
     depends_on:
@@ -263,7 +257,7 @@ services:
       SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
       SECRETSTORE_SERVERNAME: edgex-vault
     hostname: edgex-proxy
-    image: nexus3.edgexfoundry.org:10004/docker-edgex-security-proxy-setup-go-arm64:master
+    image: nexus3.edgexfoundry.org:10004/docker-security-proxy-setup-go-arm64:master
     networks:
       edgex-network: {}
     read_only: true
@@ -356,6 +350,7 @@ services:
     - consul
     - database
     - notifications
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -390,6 +385,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -442,6 +438,7 @@ services:
     depends_on:
     - consul
     - database
+    - security-bootstrap-database
     - vault-worker
     environment:
       CLIENTS_COMMAND_HOST: edgex-core-command
@@ -472,13 +469,44 @@ services:
     volumes:
     - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
     - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
+  security-bootstrap-database:
+    container_name: edgex-security-bootstrap-database
+    depends_on:
+    - database
+    - vault-worker
+    environment:
+      CLIENTS_COMMAND_HOST: edgex-core-command
+      CLIENTS_COREDATA_HOST: edgex-core-data
+      CLIENTS_DATA_HOST: edgex-core-data
+      CLIENTS_METADATA_HOST: edgex-core-metadata
+      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
+      CLIENTS_RULESENGINE_HOST: edgex-kuiper
+      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
+      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
+      DATABASES_PRIMARY_HOST: edgex-redis
+      EDGEX_SECURITY_SECRET_STORE: "true"
+      REGISTRY_HOST: edgex-core-consul
+      SECRETSTORE_HOST: edgex-vault
+      SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem
+      SECRETSTORE_SERVERNAME: edgex-vault
+      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json
+      SERVICE_HOST: edgex-security-bootstrap-redis
+    hostname: edgex-security-bootstrap-database
+    image: nexus3.edgexfoundry.org:10004/docker-security-bootstrap-redis-go-arm64:master
+    networks:
+      edgex-network: {}
+    read_only: true
+    tmpfs:
+    - /run
+    - /vault
+    volumes:
+    - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z
+    - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
   security-secrets-setup:
     command: generate
     container_name: edgex-secrets-setup
-    environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
     hostname: edgex-secrets-setup
-    image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go-arm64:master
+    image: nexus3.edgexfoundry.org:10004/docker-security-secrets-setup-go-arm64:master
     read_only: true
     tmpfs:
     - /tmp
@@ -553,10 +581,9 @@ services:
     - security-secrets-setup
     - vault
     environment:
-      REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password
       SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done
     hostname: edgex-vault-worker
-    image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go-arm64:master
+    image: nexus3.edgexfoundry.org:10004/docker-security-secretstore-setup-go-arm64:master
     networks:
       edgex-network: {}
     read_only: true