Merge pull request #441 from dovholuknf/add-sec-proxy

feat: add proxy. include when not zero trust
edgexfoundry · Mar 27, 2024 · bab88e6 · bab88e6
2 parents 3958ee5 + ea3d6cf
commit bab88e6
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 108 deletions.
diff --git a/compose-builder/Makefile b/compose-builder/Makefile
@@ -789,6 +789,10 @@ else
 	ifeq ($(BUS),) # if BUS not set, then we are using secure redis messagebus by default
 		COMPOSE_FILES:=$(COMPOSE_FILES) -f add-secure-redis-messagebus.yml
 	endif
+	# Add Security Proxy when not using zero-trust
+	ifneq (zero-trust, $(filter zero-trust,$(ARGS)))
+		COMPOSE_FILES:=$(COMPOSE_FILES) -f add-security-proxy.yml
+	endif
 endif
 
 # Build compose for TAF secure testing (ignore all other compose file options)
@@ -803,6 +807,7 @@ ifeq (taf-secty, $(filter taf-secty,$(ARGS)))
 	COMPOSE_FILES:= \
 		-f docker-compose-base.yml \
 		-f add-security.yml \
+		-f add-security-proxy.yml \
 		-f add-taf-app-services.yml \
 		-f add-taf-app-services-secure.yml \
 		-f add-asc-http-export.yml \
@@ -891,6 +896,7 @@ else
     		COMPOSE_FILES:= \
     			-f docker-compose-base.yml \
     			-f add-security.yml \
+    			-f add-security-proxy.yml \
     			-f add-secure-redis-messagebus.yml \
     			-f add-asc-mqtt-export.yml \
     			-f add-device-virtual.yml \
@@ -962,6 +968,7 @@ define COMPOSE_DOWN
 		-f add-secure-mqtt-messagebus.yml \
 		-f add-nats-messagebus.yml \
 		-f add-security.yml \
+		-f add-security-proxy.yml \
 		-f add-secure-redis-messagebus.yml \
 		-f add-delayed-start-services.yml \
 		down $1

diff --git a/compose-builder/add-security-proxy.yml b/compose-builder/add-security-proxy.yml
@@ -0,0 +1,127 @@
+# /*******************************************************************************
+#  * Copyright 2024 Intel Corporation.
+#  *
+#  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+#  * in compliance with the License. You may obtain a copy of the License at
+#  *
+#  * http://www.apache.org/licenses/LICENSE-2.0
+#  *
+#  * Unless required by applicable law or agreed to in writing, software distributed under the License
+#  * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+#  * or implied. See the License for the specific language governing permissions and limitations under
+#  * the License.
+#  *
+#  *******************************************************************************/
+
+version: '3.7'
+
+volumes:
+  nginx-templates:
+  nginx-tls:
+
+services:
+# containers for reverse proxy
+
+  nginx:
+    image: nginx:${NGINX_VERSION}
+    container_name: edgex-nginx
+    hostname: edgex-nginx
+    ports:
+      - "8443:8443"  # port 8000 (insecure) is not mapped externally)
+    read_only: true
+    restart: always
+    networks:
+      edgex-network:
+    entrypoint: ["/bin/sh", "/edgex-init/nginx_wait_install.sh"]
+    command:
+      - "/docker-entrypoint.sh"
+      - nginx
+      - "-g"
+      - "daemon off;"
+    env_file:
+      - common-sec-stage-gate.env
+    volumes:
+      - edgex-init:/edgex-init:ro
+      - nginx-templates:/etc/nginx/templates
+      - nginx-tls:/etc/ssl/nginx
+    depends_on:
+      - security-secretstore-setup
+    security_opt:
+      - no-new-privileges:true
+    tmpfs:
+      - /etc/nginx/conf.d
+      - /var/cache/nginx
+      - /var/log/nginx
+      - /var/run
+
+  security-proxy-setup:
+    image: ${CORE_EDGEX_REPOSITORY}/security-proxy-setup${ARCH}:${CORE_EDGEX_VERSION}
+    user: "root:root"
+    container_name: edgex-security-proxy-setup
+    hostname: edgex-security-proxy-setup
+    entrypoint: ["/edgex-init/proxy_setup_wait_install.sh"]
+    read_only: true
+    restart: always
+    networks:
+      - edgex-network
+    env_file:
+      - common-security.env
+      - common-sec-stage-gate.env
+    environment:
+      ROUTES_CORE_CONSUL_HOST: edgex-core-consul
+      ROUTES_CORE_DATA_HOST: edgex-core-data
+      ROUTES_CORE_METADATA_HOST: edgex-core-metadata
+      ROUTES_CORE_COMMAND_HOST: edgex-core-command
+      ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications
+      ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler
+      ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent
+      ROUTES_RULES_ENGINE_HOST: edgex-kuiper
+      ROUTES_DEVICE_VIRTUAL_HOST: device-virtual
+    volumes:
+      # use host timezone
+      - /etc/localtime:/etc/localtime:ro
+      - edgex-init:/edgex-init:ro
+      - vault-config:/vault/config
+      - nginx-templates:/etc/nginx/templates
+      - nginx-tls:/etc/ssl/nginx
+      - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z
+      - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro
+    depends_on:
+      - security-bootstrapper
+      - security-secretstore-setup
+    security_opt:
+      - no-new-privileges:true
+
+  security-proxy-auth:
+    image: ${CORE_EDGEX_REPOSITORY}/security-proxy-auth${ARCH}:${CORE_EDGEX_VERSION}
+    container_name: edgex-proxy-auth
+    hostname: edgex-proxy-auth
+    ports:
+      - "127.0.0.1:59842:59842"
+    read_only: true
+    restart: always
+    networks:
+      - edgex-network
+    entrypoint: ["/bin/sh", "/edgex-init/ready_to_run_wait_install.sh"]
+    command:
+      - "entrypoint.sh"
+      - "/security-proxy-auth"
+      - "-cp=consul.http://edgex-core-consul:8500"
+      - "--registry"
+    env_file:
+      - common-security.env
+      - common-sec-stage-gate.env
+    environment:
+      SERVICE_HOST: edgex-proxy-auth
+    volumes:
+      # use host timezone
+      - /etc/localtime:/etc/localtime:ro
+      - edgex-init:/edgex-init:ro
+      - /tmp/edgex/secrets/security-proxy-auth:/tmp/edgex/secrets/security-proxy-auth:ro,z
+    depends_on:
+      - security-secretstore-setup
+      - core-common-config-bootstrapper
+    security_opt:
+      - no-new-privileges:true
+
+# end of containers for reverse proxy
diff --git a/compose-builder/add-security.yml b/compose-builder/add-security.yml
@@ -22,8 +22,6 @@ volumes:
   vault-logs:
   consul-acl-token:
   # non-shared volumes
-  nginx-templates:
-  nginx-tls:
   redis-config:
 
 services:
@@ -154,112 +152,6 @@ services:
       - security-bootstrapper
     restart: always
 
-# containers for reverse proxy
-
-  nginx:
-    image: nginx:${NGINX_VERSION}
-    container_name: edgex-nginx
-    hostname: edgex-nginx
-    read_only: true
-    restart: always
-    networks:
-      edgex-network:
-    ports:
-      - "8443:8443"  # port 8000 (insecure) is not mapped externally)
-    entrypoint: ["/bin/sh", "/edgex-init/nginx_wait_install.sh"]
-    command:
-      - "/docker-entrypoint.sh"
-      - nginx
-      - "-g"
-      - "daemon off;"
-    env_file:
-      - common-sec-stage-gate.env
-    volumes:
-      - edgex-init:/edgex-init:ro
-      - nginx-templates:/etc/nginx/templates
-      - nginx-tls:/etc/ssl/nginx
-    depends_on:
-      - security-secretstore-setup
-    security_opt:
-      - no-new-privileges:true
-    tmpfs:
-      - /etc/nginx/conf.d
-      - /var/cache/nginx
-      - /var/log/nginx
-      - /var/run
-
-  security-proxy-setup:
-    image: ${CORE_EDGEX_REPOSITORY}/security-proxy-setup${ARCH}:${CORE_EDGEX_VERSION}
-    user: "root:root"
-    container_name: edgex-security-proxy-setup
-    hostname: edgex-security-proxy-setup
-    entrypoint: ["/edgex-init/proxy_setup_wait_install.sh"]
-    read_only: true
-    restart: always
-    networks:
-      - edgex-network
-    env_file:
-      - common-security.env
-      - common-sec-stage-gate.env
-    environment:
-      ROUTES_CORE_CONSUL_HOST: edgex-core-consul
-      ROUTES_CORE_DATA_HOST: edgex-core-data
-      ROUTES_CORE_METADATA_HOST: edgex-core-metadata
-      ROUTES_CORE_COMMAND_HOST: edgex-core-command
-      ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications
-      ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler
-      ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent
-      ROUTES_RULES_ENGINE_HOST: edgex-kuiper
-      ROUTES_DEVICE_VIRTUAL_HOST: device-virtual
-    volumes:
-      # use host timezone
-      - /etc/localtime:/etc/localtime:ro
-      - edgex-init:/edgex-init:ro
-      - vault-config:/vault/config
-      - nginx-templates:/etc/nginx/templates
-      - nginx-tls:/etc/ssl/nginx
-      - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z
-      - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro
-    depends_on:
-      - security-bootstrapper
-      - security-secretstore-setup
-    security_opt:
-      - no-new-privileges:true
-
-  security-proxy-auth:
-    image: ${CORE_EDGEX_REPOSITORY}/security-proxy-auth${ARCH}:${CORE_EDGEX_VERSION}
-    container_name: edgex-proxy-auth
-    hostname: edgex-proxy-auth
-    read_only: true
-    restart: always
-    networks:
-      - edgex-network
-    entrypoint: ["/bin/sh", "/edgex-init/ready_to_run_wait_install.sh"]
-    command:
-      - "entrypoint.sh"
-      - "/security-proxy-auth"
-      - "-cp=consul.http://edgex-core-consul:8500"
-      - "--registry"
-    env_file:
-      - common-security.env
-      - common-sec-stage-gate.env
-    environment:
-      SERVICE_HOST: edgex-proxy-auth
-    ports:
-      - "127.0.0.1:59842:59842"
-    volumes:
-      # use host timezone
-      - /etc/localtime:/etc/localtime:ro
-      - edgex-init:/edgex-init:ro
-      - /tmp/edgex/secrets/security-proxy-auth:/tmp/edgex/secrets/security-proxy-auth:ro,z
-    depends_on:
-      - security-secretstore-setup
-      - core-common-config-bootstrapper
-    security_opt:
-      - no-new-privileges:true
-
-# end of containers for reverse proxy
-
   support-notifications:
     env_file:
       - common-security.env