feat(security): Deploy new security-bootstrapper service

compose-builder/.env

@@ -25,7 +25,6 @@ RELEASE=nexus
 REPOSITORY=nexus3.edgexfoundry.org:10004
 CORE_EDGEX_REPOSITORY=nexus3.edgexfoundry.org:10004
 CORE_EDGEX_VERSION=master
-CONSUL_VERSION=master
 APP_SERVICE_VERSION=master
 DEVICE_BACNET_VERSION=master
 DEVICE_CAMERA_VERSION=master
@@ -38,6 +37,7 @@ DEVICE_SNMP_VERSION=master
 DEVICE_VIRTUAL_VERSION=master
 
 VAULT_VERSION=1.5.3
+CONSUL_VERSION=1.9.1
 # Note that Postgres images don't use patch versions.
 POSTGRES_VERSION=12.3-alpine
 REDIS_VERSION=6.0.9-alpine
@@ -48,5 +48,8 @@ MOSQUITTO_VERSION=1.6.3
 COMPOSE_FOLDER=../releases/nightly-build/compose-files
 RELEASE_FOLDER=../releases/${RELEASE}/compose-files
 TAF_COMPOSE_FOLDER=../releases/nightly-build/compose-files/taf
+
 EDGEX_USER=2002
 EDGEX_GROUP=2001
+
+DEFAULT_EDGEX_RUN_CMD_PARMS="-cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res"

compose-builder/Makefile

@@ -81,9 +81,9 @@ ifeq (asc-http, $(filter asc-http,$(ARGS)))
 endif
 ifeq (asc-http-s, $(filter asc-http-s,$(ARGS)))
     ifeq ($(TOKEN_LIST),"")
-      TOKEN_LIST:=appservice-http-export-secrets
+      TOKEN_LIST:=app-service-http-export-secrets
     else
-      TOKEN_LIST:=$(TOKEN_LIST),appservice-http-export-secrets
+      TOKEN_LIST:=$(TOKEN_LIST),app-service-http-export-secrets
     endif
     COMPOSE_FILES:=$(COMPOSE_FILES) -f add-asc-http-export-secure.yml
 endif
@@ -92,9 +92,9 @@ ifeq (asc-mqtt, $(filter asc-mqtt,$(ARGS)))
 endif
 ifeq (asc-mqtt-s, $(filter asc-mqtt-s,$(ARGS)))
     ifeq ($(TOKEN_LIST),"")
-      TOKEN_LIST:=appservice-mqtt-export-secrets
+      TOKEN_LIST:=app-service-mqtt-export-secrets
     else
-      TOKEN_LIST:=$(TOKEN_LIST),appservice-mqtt-export-secrets
+      TOKEN_LIST:=$(TOKEN_LIST),app-service-mqtt-export-secrets
     endif
     COMPOSE_FILES:=$(COMPOSE_FILES) -f add-asc-mqtt-export-secure.yml
 endif
@@ -114,7 +114,7 @@ endif
 
 # Build compose for TAF secure testing (ignore all other compose file options)
 ifeq (taf-secty, $(filter taf-secty,$(ARGS)))
-	TOKEN_LIST:=appservice-http-export-secrets,appservice-mqtt-export-secrets
+	TOKEN_LIST:=app-service-http-export-secrets,app-service-mqtt-export-secrets
 	COMPOSE_FILES:= \
 		-f docker-compose-base.yml \
 		-f add-security.yml \

compose-builder/README.md

@@ -86,6 +86,8 @@ This folder contains the following environment files:
     This file contains the common environment overrides used by all Edgex services.
 - **common-security.env**
     This file contains the common security related environment overrides used by many Edgex services.
+- **common-sec-stage-gate.env**
+    This file contains the common security-bootstrapper stage gate related environment overrides used by many Edgex services.
 
 ### Makefile
 
@@ -118,7 +120,7 @@ Standard compose variations are:
    full secure perf testing (docker-compose-taf-perf-nexus.yml)
    full secure perf testing for arm64 (docker-compose-taf-perf-nexus-arm64.yml)
    non-secure perf testing (docker-compose-nexus-taf-perf-no-secty.yml)
-   nonsecure perf testing forarm64 (docker-compose-taf-perf-nexus-no-secty-arm64.yml)
+   nonsecure perf testing for arm64 (docker-compose-taf-perf-nexus-no-secty-arm64.yml)
 ```
 
 ```
@@ -150,7 +152,7 @@ Options:
 
 ```
 taf-compose [options] 
-Generates a TAF general testing compose file as specified by options and stores them in the configured TAF release folder. Compose files are named appropriatly for the options used to generate them.
+Generates a TAF general testing compose file as specified by options and stores them in the configured TAF release folder. Compose files are named appropriately for the options used to generate them.
 
 Options:
     taf-secty:	  Generates general TAF testing compose file with security services
@@ -160,11 +162,11 @@ Options:
 
 ```
 taf-perf-compose [options] 
-Generates a TAF performance testing compose file as specified by options and stores them in the configured TAF release folder. Compose files are named appropriatly for the options used to generate them.
+Generates a TAF performance testing compose file as specified by options and stores them in the configured TAF release folder. Compose files are named appropriately for the options used to generate them.
 
 Options:
     taf-secty:	  Generates performance TAF testing compose file with security services
-    taf-no-secty: Generates perforamnce TAF testing compose file without security services
+    taf-no-secty: Generates performance TAF testing compose file without security services
     arm64:        Generates TAF compose file using ARM64 images
 ```
 
@@ -184,12 +186,12 @@ Options:
     ds-random:  Runs with device-random included
     ds-rest:    Runs with device-rest included
     ds-snmp:    Runs with device-snmp included
-    ds-virtual: Runs device-virtual included
-    modbus-sim: Generates compose file with ModBus simulator included
-    asc-http:   Generates compose file with App Service HTTP Export included
-    asc-http-s: Generates compose file with App Service HTTP Export Secrets included
-    asc-mqtt:   Generates compose file with App Service MQTT Export included
-    asc-mqtt-s: Generates compose file with App Service MQTT Export Secrets included
+    ds-virtual: Runs with device-virtual included
+    modbus-sim: Runs with ModBus simulator included
+    asc-http:   Runs with App Service HTTP Export included
+    asc-http-s: Runs with App Service HTTP Export Secrets included
+    asc-mqtt:   Runs with App Service MQTT Export included
+    asc-mqtt-s: Runs with App Service MQTT Export Secrets included
     mqtt:       Runs using MQTT Message Bus
     ui:         Runs only the EdgeX UI service. `ds-x`, 'mqtt', 'no-ds' & 'no-secty' are ignored. Typically used after the other Edgex Services have been started
 Services:
@@ -210,12 +212,12 @@ Options:
     ds-rest:    Pull includes device-rest
     ds-snmp:    Pull includes device-snmp
     ds-virtual: Pull includes device-virtual
-    modbus-sim: Generates compose file with ModBus simulator included
-    asc-http:   Generates compose file with App Service HTTP Export included
-    asc-http-s: Generates compose file with App Service HTTP Export Secrets included
-    asc-mqtt:   Generates compose file with App Service MQTT Export included
-    asc-mqtt-s: Generates compose file with App Service MQTT Export Secrets included
-    mqtt:       Pulls included additional service for MQTT Message Bus 
+    modbus-sim: Pull includes ModBus simulator
+    asc-http:   Pull includes App Service HTTP Export
+    asc-http-s: Pull includes App Service HTTP Export Secrets
+    asc-mqtt:   Pull includes App Service MQTT Export
+    asc-mqtt-s: Pull includes App Service MQTT Export Secrets
+    mqtt:       Pull includes additional service for MQTT Message Bus
     ui:         Pulls only the EdgeX UI service image. `ds-x`, 'mqtt', 'no-ds' & 'no-secty' are ignored
 Services:
     <names...>: Pulls only images for the service(s) listed

compose-builder/add-asc-http-export-secure.yml

@@ -1,33 +1,38 @@
 version: '3.7'
 
 services:
-  vault-worker:
+  secretstore-setup:
     environment:
       ADD_SECRETSTORE_TOKENS: ${TOKEN_LIST}
 
   app-service-http-export-secrets:
     image: ${REPOSITORY}/docker-app-service-configurable${ARCH}:${APP_SERVICE_VERSION}
+    entrypoint: ["/edgex-init/ready_to_run_wait_install.sh"]
+    command: "/app-service-configurable ${DEFAULT_EDGEX_RUN_CMD_PARMS}"
     ports:
       - 127.0.0.1:48102:48102/tcp
     container_name: app-service-http-export-secrets
     hostname: app-service-http-export-secrets
     env_file:
       - common.env
       - common-security.env
+      - common-sec-stage-gate.env
     environment:
       EDGEX_PROFILE: http-export
       SERVICE_HOST: app-service-http-export-secrets
       SERVICE_PORT: 48102
       MESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-core-data
-      SECRETSTORE_PATH: /v1/secret/edgex/appservice-http-export-secrets/
-      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/appservice-http-export-secrets/secrets-token.json
+      SECRETSTORE_PATH: /v1/secret/edgex/app-service-http-export-secrets/
+      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/app-service-http-export-secrets/secrets-token.json
       WRITABLE_PIPELINE_FUNCTIONS_HTTPPOSTJSON_PARAMETERS_URL: http://EXPORT_HOST_PLACE_HOLDER:7770
       WRITABLE_PIPELINE_FUNCTIONS_HTTPPOSTJSON_PARAMETERS_SECRETHEADERNAME: ""
       WRITABLE_PIPELINE_FUNCTIONS_HTTPPOSTJSON_PARAMETERS_SECRETPATH: ""
       WRITABLE_LOGLEVEL: INFO # allows scripts to find and change with sed
     volumes:
-    - /tmp/edgex/secrets/appservice-http-export-secrets:/tmp/edgex/secrets/appservice-http-export-secrets:ro,z
+      - edgex-init:/edgex-init:ro,z
+      - /tmp/edgex/secrets/app-service-http-export-secrets:/tmp/edgex/secrets/app-service-http-export-secrets:ro,z
     depends_on:
+      - security-bootstrapper
       - consul
       - data
     read_only: true

compose-builder/add-asc-mqtt-export-secure.yml

@@ -1,40 +1,45 @@
 version: '3.7'
 
 services:
-  vault-worker:
+  secretstore-setup:
     environment:
       ADD_SECRETSTORE_TOKENS: ${TOKEN_LIST}
 
-  appservice-mqtt-export-secrets:
+  app-service-mqtt-export-secrets:
     image: ${REPOSITORY}/docker-app-service-configurable${ARCH}:${APP_SERVICE_VERSION}
+    entrypoint: ["/edgex-init/ready_to_run_wait_install.sh"]
+    command: "/app-service-configurable ${DEFAULT_EDGEX_RUN_CMD_PARMS}"
     ports:
       - 127.0.0.1:48104:48104/tcp
-    container_name: appservice-mqtt-export-secrets
-    hostname: appservice-mqtt-export-secrets
+    container_name: app-service-mqtt-export-secrets
+    hostname: app-service-mqtt-export-secrets
     env_file:
       - common.env
       - common-security.env
+      - common-sec-stage-gate.env
     environment:
       EDGEX_PROFILE: mqtt-export
-      SERVICE_HOST: appservice-mqtt-export-secrets
+      SERVICE_HOST: app-service-mqtt-export-secrets
       SERVICE_PORT: 48104
       MESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-core-data
-      SECRETSTORE_PATH: /v1/secret/edgex/appservice-mqtt-export-secrets/
-      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/appservice-mqtt-export-secrets/secrets-token.json
+      SECRETSTORE_PATH: /v1/secret/edgex/app-service-mqtt-export-secrets/
+      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/app-service-mqtt-export-secrets/secrets-token.json
       WRITABLE_PIPELINE_FUNCTIONS_MQTTSECRETSEND_PARAMETERS_BROKERADDRESS: tcp://MQTT_BROKER_ADDRESS_PLACE_HOLDER:1883
       WRITABLE_PIPELINE_FUNCTIONS_MQTTSECRETSEND_PARAMETERS_TOPIC: edgex-events
       WRITABLE_PIPELINE_FUNCTIONS_MQTTSECRETSEND_PARAMETERS_AUTHMODE : usernamepassword
       WRITABLE_INSECURESECRETS_MQTT_SECRETS_USERNAME: USERNAME_PLACEH_OLDER
       WRITABLE_INSECURESECRETS_MQTT_SECRETS_PASSWORD: PASSWORD_PLACE_HOLDER
       WRITABLE_LOGLEVEL: INFO # allows scripts to find and change with sed
     depends_on:
+      - security-bootstrapper
       - consul
       - data
     read_only: true
     networks:
       - edgex-network
     volumes:
-      - /tmp/edgex/secrets/appservice-mqtt-export-secrets:/tmp/edgex/secrets/appservice-mqtt-export-secrets:ro,z
+      - edgex-init:/edgex-init:ro,z
+      - /tmp/edgex/secrets/app-service-mqtt-export-secrets:/tmp/edgex/secrets/app-service-mqtt-export-secrets:ro,z
     security_opt:
       - no-new-privileges:true
     user: "${EDGEX_USER}:${EDGEX_GROUP}"