diff --git a/.gitignore b/.gitignore index f16b18e..3332c8e 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,5 @@ support-notifications-client/ support-notifications/ support-rulesengine/ support-scheduler/ + +docker-compose-nexus-dev.yml diff --git a/compose-builder/README.md b/compose-builder/README.md index fc35948..fdff021 100644 --- a/compose-builder/README.md +++ b/compose-builder/README.md @@ -61,8 +61,6 @@ This folder contains the following environment files: This file contains the common environment overrides used by all Edgex services. - **common-security.env** This file contains the common security related environment overrides used by many Edgex services. -- **database-security.env** - This file contains the database specific security related environment overrides used by a few Edgex services. ### Makefile diff --git a/compose-builder/add-security.yml b/compose-builder/add-security.yml index 4ccb8ca..d344c47 100644 --- a/compose-builder/add-security.yml +++ b/compose-builder/add-security.yml @@ -68,11 +68,9 @@ services: - security-secrets-setup security-secrets-setup: - image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} + image: ${CORE_EDGEX_REPOSITORY}/docker-security-secrets-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} container_name: edgex-secrets-setup hostname: edgex-secrets-setup - env_file: - - database-security.env read_only: true tmpfs: - /tmp @@ -84,11 +82,9 @@ services: - /tmp/edgex/secrets:/tmp/edgex/secrets:z vault-worker: - image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} + image: ${CORE_EDGEX_REPOSITORY}/docker-security-secretstore-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} container_name: edgex-vault-worker hostname: edgex-vault-worker - env_file: - - database-security.env environment: SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done read_only: true @@ -106,6 +102,29 @@ services: - consul - vault + security-bootstrap-database: + image: ${CORE_EDGEX_REPOSITORY}/docker-security-bootstrap-redis-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} + container_name: edgex-security-bootstrap-database + hostname: edgex-security-bootstrap-database + env_file: + - common.env + - common-security.env + environment: + SERVICE_HOST: edgex-security-bootstrap-redis + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json + read_only: true + networks: + - edgex-network + tmpfs: + - /run + - /vault + volumes: + - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z + - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z + depends_on: + - vault-worker + - database + # containers for reverse proxy kong-db: image: postgres:${POSTGRES_VERSION} @@ -196,7 +215,7 @@ services: - kong-migrations edgex-proxy: - image: ${CORE_EDGEX_REPOSITORY}/docker-edgex-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} + image: ${CORE_EDGEX_REPOSITORY}/docker-security-proxy-setup-go${ARCH}:${CORE_EDGEX_VERSION}${DEV} container_name: edgex-proxy hostname: edgex-proxy entrypoint: > @@ -227,23 +246,6 @@ services: # end of containers for reverse proxy - database: - env_file: - - database-security.env - command: | - /bin/sh -c " - until [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME} ]; do sleep 1; done - exec /usr/local/bin/docker-entrypoint.sh --requirepass `cat $${REDIS5_PASSWORD_PATHNAME}` \ - --dir /data \ - --save 900 1 \ - --save 300 10 \ - --save 60 10000 - " - volumes: - - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z - depends_on: - - vault-worker - notifications: env_file: - common-security.env @@ -254,6 +256,7 @@ services: - /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z depends_on: - vault-worker + - security-bootstrap-database metadata: env_file: @@ -265,6 +268,7 @@ services: - /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z depends_on: - vault-worker + - security-bootstrap-database data: env_file: @@ -276,6 +280,7 @@ services: - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z depends_on: - vault-worker + - security-bootstrap-database command: env_file: @@ -287,6 +292,7 @@ services: - /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z depends_on: - vault-worker + - security-bootstrap-database scheduler: env_file: @@ -298,3 +304,4 @@ services: - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z depends_on: - vault-worker + - security-bootstrap-database diff --git a/compose-builder/database-security.env b/compose-builder/database-security.env deleted file mode 100644 index 5b8955d..0000000 --- a/compose-builder/database-security.env +++ /dev/null @@ -1 +0,0 @@ -REDIS5_PASSWORD_PATHNAME=/tmp/edgex/secrets/edgex-redis/redis5-password diff --git a/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml b/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml index 20bf7bd..068976b 100644 --- a/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml +++ b/releases/nightly-build/compose-files/docker-compose-nexus-arm64.yml @@ -63,6 +63,7 @@ services: - consul - database - metadata + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -120,6 +121,7 @@ services: - consul - database - metadata + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -150,13 +152,7 @@ services: - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z database: - command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\ - \ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\ - \ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n --dir /data \\\n --save 900 1 \\\ - \n --save 300 10 \\\n --save 60 10000\n\"\n" container_name: edgex-redis - depends_on: - - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command CLIENTS_COREDATA_HOST: edgex-core-data @@ -168,7 +164,6 @@ services: CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "false" - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password REGISTRY_HOST: edgex-core-consul hostname: edgex-redis image: redis:6.0.9-alpine @@ -179,7 +174,6 @@ services: read_only: true volumes: - db-data:/data:z - - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z device-rest: container_name: edgex-device-rest depends_on: @@ -263,7 +257,7 @@ services: SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem SECRETSTORE_SERVERNAME: edgex-vault hostname: edgex-proxy - image: nexus3.edgexfoundry.org:10004/docker-edgex-security-proxy-setup-go-arm64:master + image: nexus3.edgexfoundry.org:10004/docker-security-proxy-setup-go-arm64:master networks: edgex-network: {} read_only: true @@ -356,6 +350,7 @@ services: - consul - database - notifications + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -390,6 +385,7 @@ services: depends_on: - consul - database + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -442,6 +438,7 @@ services: depends_on: - consul - database + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -472,13 +469,44 @@ services: volumes: - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z + security-bootstrap-database: + container_name: edgex-security-bootstrap-database + depends_on: + - database + - vault-worker + environment: + CLIENTS_COMMAND_HOST: edgex-core-command + CLIENTS_COREDATA_HOST: edgex-core-data + CLIENTS_DATA_HOST: edgex-core-data + CLIENTS_METADATA_HOST: edgex-core-metadata + CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_RULESENGINE_HOST: edgex-kuiper + CLIENTS_SCHEDULER_HOST: edgex-support-scheduler + CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem + SECRETSTORE_SERVERNAME: edgex-vault + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json + SERVICE_HOST: edgex-security-bootstrap-redis + hostname: edgex-security-bootstrap-database + image: nexus3.edgexfoundry.org:10004/docker-security-bootstrap-redis-go-arm64:master + networks: + edgex-network: {} + read_only: true + tmpfs: + - /run + - /vault + volumes: + - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z + - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z security-secrets-setup: command: generate container_name: edgex-secrets-setup - environment: - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password hostname: edgex-secrets-setup - image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go-arm64:master + image: nexus3.edgexfoundry.org:10004/docker-security-secrets-setup-go-arm64:master read_only: true tmpfs: - /tmp @@ -553,10 +581,9 @@ services: - security-secrets-setup - vault environment: - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done hostname: edgex-vault-worker - image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go-arm64:master + image: nexus3.edgexfoundry.org:10004/docker-security-secretstore-setup-go-arm64:master networks: edgex-network: {} read_only: true diff --git a/releases/nightly-build/compose-files/docker-compose-nexus.yml b/releases/nightly-build/compose-files/docker-compose-nexus.yml index 1c4aa64..7c484ac 100644 --- a/releases/nightly-build/compose-files/docker-compose-nexus.yml +++ b/releases/nightly-build/compose-files/docker-compose-nexus.yml @@ -63,6 +63,7 @@ services: - consul - database - metadata + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -120,6 +121,7 @@ services: - consul - database - metadata + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -150,13 +152,7 @@ services: - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z database: - command: "/bin/sh -c \"\nuntil [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME}\ - \ ]; do sleep 1; done\nexec /usr/local/bin/docker-entrypoint.sh --requirepass\ - \ `cat $${REDIS5_PASSWORD_PATHNAME}` \\\n --dir /data \\\n --save 900 1 \\\ - \n --save 300 10 \\\n --save 60 10000\n\"\n" container_name: edgex-redis - depends_on: - - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command CLIENTS_COREDATA_HOST: edgex-core-data @@ -168,7 +164,6 @@ services: CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "false" - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password REGISTRY_HOST: edgex-core-consul hostname: edgex-redis image: redis:6.0.9-alpine @@ -179,7 +174,6 @@ services: read_only: true volumes: - db-data:/data:z - - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z device-rest: container_name: edgex-device-rest depends_on: @@ -263,7 +257,7 @@ services: SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem SECRETSTORE_SERVERNAME: edgex-vault hostname: edgex-proxy - image: nexus3.edgexfoundry.org:10004/docker-edgex-security-proxy-setup-go:master + image: nexus3.edgexfoundry.org:10004/docker-security-proxy-setup-go:master networks: edgex-network: {} read_only: true @@ -356,6 +350,7 @@ services: - consul - database - notifications + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -390,6 +385,7 @@ services: depends_on: - consul - database + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -442,6 +438,7 @@ services: depends_on: - consul - database + - security-bootstrap-database - vault-worker environment: CLIENTS_COMMAND_HOST: edgex-core-command @@ -472,13 +469,44 @@ services: volumes: - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z + security-bootstrap-database: + container_name: edgex-security-bootstrap-database + depends_on: + - database + - vault-worker + environment: + CLIENTS_COMMAND_HOST: edgex-core-command + CLIENTS_COREDATA_HOST: edgex-core-data + CLIENTS_DATA_HOST: edgex-core-data + CLIENTS_METADATA_HOST: edgex-core-metadata + CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_RULESENGINE_HOST: edgex-kuiper + CLIENTS_SCHEDULER_HOST: edgex-support-scheduler + CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_ROOTCACERTPATH: /tmp/edgex/secrets/ca/ca.pem + SECRETSTORE_SERVERNAME: edgex-vault + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json + SERVICE_HOST: edgex-security-bootstrap-redis + hostname: edgex-security-bootstrap-database + image: nexus3.edgexfoundry.org:10004/docker-security-bootstrap-redis-go:master + networks: + edgex-network: {} + read_only: true + tmpfs: + - /run + - /vault + volumes: + - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z + - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z security-secrets-setup: command: generate container_name: edgex-secrets-setup - environment: - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password hostname: edgex-secrets-setup - image: nexus3.edgexfoundry.org:10004/docker-edgex-secrets-setup-go:master + image: nexus3.edgexfoundry.org:10004/docker-security-secrets-setup-go:master read_only: true tmpfs: - /tmp @@ -553,10 +581,9 @@ services: - security-secrets-setup - vault environment: - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done hostname: edgex-vault-worker - image: nexus3.edgexfoundry.org:10004/docker-edgex-security-secretstore-setup-go:master + image: nexus3.edgexfoundry.org:10004/docker-security-secretstore-setup-go:master networks: edgex-network: {} read_only: true