Skip to content

Commit

Permalink
refactor: Replace file based with use of Secret Provider to get Acces…
Browse files Browse the repository at this point in the history
…s Tokens

closes #769

BREAKING CHANGE: All App Services running with the secure Edgex Stack now need to have the SecretStore configured, a Vault token created and run with EDGEX_SECURITY_SECRET_STORE=true.

Signed-off-by: lenny <[email protected]>
  • Loading branch information
lenny committed Apr 7, 2021
1 parent 1798f22 commit 75b460f
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 34 deletions.
4 changes: 2 additions & 2 deletions app-service-template/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ go 1.15

require (
github.com/edgexfoundry/app-functions-sdk-go/v2 v2.0.0-dev.14
github.com/edgexfoundry/go-mod-core-contracts/v2 v2.0.0-dev.62
github.com/edgexfoundry/go-mod-core-contracts/v2 v2.0.0-dev.64
github.com/google/uuid v1.2.0
github.com/stretchr/testify v1.7.0
)

replace github.com/edgexfoundry/app-functions-sdk-go/v2 => ../
replace github.com/edgexfoundry/app-functions-sdk-go/v2 => ../
5 changes: 2 additions & 3 deletions app-service-template/res/configuration.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,11 @@ Protocol = 'http'
ReadMaxLimit = 100
StartupMsg = 'new-app-service Application Service has started'
Timeout = '30s'
ConfigAccessTokenFile = '/tmp/edgex/secrets/new-app-service/consul-token' # ignored in non-secure mode

[Registry]
Host = 'localhost'
Port = 8500
Type = 'consul'
AccessTokenFile = '/tmp/edgex/secrets/new-app-service/consul-token' # ignored in non-secure mode

[Database]
Type = "redisdb"
Expand All @@ -47,13 +45,14 @@ Timeout = "30s"
# service in secure mode.
# For more deatils about SecretStore: https://docs.edgexfoundry.org/1.3/microservices/security/Ch-SecretStore/
[SecretStore]
Type = 'vault'
Host = 'localhost'
Port = 8200
Path = '/v1/secret/edgex/appservice/'
Protocol = 'http'
RootCaCertPath = ''
ServerName = ''
TokenFile = '/vault/config/assets/resp-init.json'
TokenFile = '/tmp/edgex/secrets/new-app-service/secrets-token.json'
AdditionalRetryAttempts = 10
RetryWaitPeriod = "1s"
[SecretStore.Authentication]
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ require (
bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690
github.com/diegoholiveira/jsonlogic v1.0.1-0.20200220175622-ab7989be08b9
github.com/eclipse/paho.mqtt.golang v1.3.3
github.com/edgexfoundry/go-mod-bootstrap/v2 v2.0.0-dev.29
github.com/edgexfoundry/go-mod-core-contracts/v2 v2.0.0-dev.62
github.com/edgexfoundry/go-mod-bootstrap/v2 v2.0.0-dev.31
github.com/edgexfoundry/go-mod-core-contracts/v2 v2.0.0-dev.64
github.com/edgexfoundry/go-mod-messaging/v2 v2.0.0-dev.8
github.com/edgexfoundry/go-mod-registry/v2 v2.0.0-dev.4
github.com/fxamacker/cbor/v2 v2.2.0
Expand Down
7 changes: 3 additions & 4 deletions internal/app/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ import (
"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/config"
bootstrapContainer "github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/container"
"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/flags"
bootstrapHandlers "github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/handlers"
bootstrapInterfaces "github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/interfaces"
"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/secret"
"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/startup"
Expand Down Expand Up @@ -402,8 +401,8 @@ func (svc *Service) Initialize() error {
configUpdated,
startupTimer,
svc.dic,
true,
[]bootstrapInterfaces.BootstrapHandler{
bootstrapHandlers.SecureProviderBootstrapHandler,
handlers.NewDatabase().BootstrapHandler,
handlers.NewClients().BootstrapHandler,
handlers.NewTelemetry().BootstrapHandler,
Expand All @@ -430,7 +429,7 @@ func (svc *Service) Initialize() error {
secretProvider := bootstrapContainer.SecretProviderFrom(svc.dic.Get)
credentials, err := secretProvider.GetSecrets(svc.config.Database.Type)
if err != nil {
return fmt.Errorf("unable to set RedisStreams password from DB credentials")
return fmt.Errorf("unable to set RedisStreams password from DB credentials: %s", err.Error())
}
svc.config.Trigger.EdgexMessageBus.Optional[optionalPasswordKey] = credentials[secret.PasswordKey]
}
Expand All @@ -452,7 +451,7 @@ func (svc *Service) Initialize() error {
// as the standard configuration.
func (svc *Service) LoadCustomConfig(customConfig interfaces.UpdatableConfig, sectionName string) error {
if svc.configProcessor == nil {
svc.configProcessor = config.NewProcessorForCustomConfig(svc.lc, svc.flags, svc.ctx.appCtx, svc.ctx.appWg, svc.dic)
svc.configProcessor = config.NewProcessorForCustomConfig(svc.flags, svc.ctx.appCtx, svc.ctx.appWg, svc.dic)
}
return svc.configProcessor.LoadCustomConfigSection(customConfig, sectionName)
}
Expand Down
40 changes: 19 additions & 21 deletions internal/common/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,18 +61,17 @@ type ConfigurationStruct struct {

// ServiceInfo is used to hold and configure various settings related to the hosting of this service
type ServiceInfo struct {
BootTimeout string
CheckInterval string
Host string
HTTPSCert string
HTTPSKey string
ServerBindAddr string
Port int
Protocol string
StartupMsg string
ReadMaxLimit int
Timeout string
ConfigAccessTokenFile string
BootTimeout string
CheckInterval string
Host string
HTTPSCert string
HTTPSKey string
ServerBindAddr string
Port int
Protocol string
StartupMsg string
ReadMaxLimit int
Timeout string
}

// TriggerInfo contains Metadata associated with each Trigger
Expand Down Expand Up @@ -197,15 +196,14 @@ func (c *ConfigurationStruct) GetInsecureSecrets() bootstrapConfig.InsecureSecre
// transformToBootstrapServiceInfo transforms the SDK's ServiceInfo to the bootstrap's version of ServiceInfo
func (c *ConfigurationStruct) transformToBootstrapServiceInfo() bootstrapConfig.ServiceInfo {
return bootstrapConfig.ServiceInfo{
BootTimeout: durationToMill(c.Service.BootTimeout),
CheckInterval: c.Service.CheckInterval,
Host: c.Service.Host,
Port: c.Service.Port,
Protocol: c.Service.Protocol,
StartupMsg: c.Service.StartupMsg,
MaxResultCount: c.Service.ReadMaxLimit,
Timeout: durationToMill(c.Service.Timeout),
ConfigAccessTokenFile: c.Service.ConfigAccessTokenFile,
BootTimeout: durationToMill(c.Service.BootTimeout),
CheckInterval: c.Service.CheckInterval,
Host: c.Service.Host,
Port: c.Service.Port,
Protocol: c.Service.Protocol,
StartupMsg: c.Service.StartupMsg,
MaxResultCount: c.Service.ReadMaxLimit,
Timeout: durationToMill(c.Service.Timeout),
}
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/interfaces/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ type AppFunctionContext interface {
// SecretsLastUpdated returns that timestamp for when the secrets in the SecretStore where last updated.
// Useful when a connection to external source needs to be redone when the credentials have been updated.
SecretsLastUpdated() time.Time
// LoggingClient returns the Logger client
// LoggingClient returns the lc client
LoggingClient() logger.LoggingClient
// EventClient returns the Event client. Note if Core Data is not specified in the Clients configuration,
// this will return nil.
Expand Down
2 changes: 1 addition & 1 deletion pkg/interfaces/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ type ApplicationService interface {
// - Not using the secure secret store, i.e. not valid with InsecureSecrets configuration
// - Secure secret provider is not properly initialized
// - Connection issues with Secret Store service.
StoreSecret(path string, secretData map[string]string) error // LoggingClient returns the Logger client
StoreSecret(path string, secretData map[string]string) error // LoggingClient returns the lc client
LoggingClient() logger.LoggingClient
// EventClient returns the Event client. Note if Core Data is not specified in the Clients configuration,
// this will return nil.
Expand Down

0 comments on commit 75b460f

Please sign in to comment.