Go implementation of EdgeX security-secretstore-setup service (aka edgex-vault-worker). Prior to the Ireland release, the container relies on the security-secrets-setup container to create the PKI, in which the requirements of TLS in a single box are no more. security-secretstore-setup service also fork/execs security-file-token-provider to create the tokens, and adds shared secrets to Vault itself.
Use the Makefile in the root directory of the repository to build security-secretstore-setup:
make cmd/security-secretstore-setup/security-secretstore-setupThis will create an executable located at cmd/security-secretstore-setup/ if successful.
The binary supports multiple command line parameters
| Parameter | Description |
|---|---|
-p, --profile name |
Indicate configuration profile other than default |
| -r, --registry | Indicates service should use Registry |
--insecureSkipVerify=true/false |
Indicates if skipping the server side SSL cert verifcation, similar to -k of curl |
--configfile=file.toml |
Use a different config file (default: res/configuration.toml) |
--vaultInterval=seconds |
Required Indicates how long the program will pause between vault initialization attempts until it succeeds |
An example of using the parameters can be found in the following docker compose file: https://github.com/edgexfoundry/developer-scripts/blob/master/releases/fuji/compose-files/docker-compose-fuji.yml
Go to the root directory of the repository and use the Makefile to build the docker container image for security-secretstore-setup:
make docker_security_secretstore_setupIt should create a docker image with the name edgexfoundry/docker_security_secretstore_setup:<version>-dev if sucessfully built.
-
The RevokeRootTokens in
cmd/security-secretstore-setup/res/configuration.tomlcontrols whether the root token used to populate Vault is deleted at when edgex-vault-worker is done. If you want to debugsecurity-secretstore-setup, set this to false:[SecretStore] ... RevokeRootTokens = false
-
The edgex-vault-worker uses compose-files_vault-config volume to store its token. To copy the root token from edgex-vault-worker, use
docker run --rm -v compose-files_vault-config:/vault/config alpine:latest cat /vault/config/assets/resp-init.json > resp-init.json -
To verify the root token
docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault token lookup
where
s.xxxxxxxxxxxxxxxxis the root_token member ofresp-init.jsonNote if you are examining the vault with a non-root token (e.g. a microservice token) you must use the exact path to the key; you cannot drill down as you can with the root token.
-
To explore the vault
docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault kv list secret/
and drill down from there. To read a key use
vault kv getorvault read.docker exec -ti edgex-vault sh -l export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx vault kv get /secret/edgex/redis/redis5
Note you can set the environment variables on the docker command line with
-eand avoid the additional shell commands.docker exec -e VAULT_SKIP_VERIFY=true ...