diff --git a/README.md b/README.md index 46d8cc03..310681de 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,24 @@ This folder contains the following compose files: - Use `make run no-secty app-sample arm64` and `make down` to start and stop the services using this compose file. - Use `make pull no-secty app-sample ` to pull all or some images for the services in this compose file. +- **docker-compose-openziti.yml** + Contains the services needed to bring OpenZiti online, configure it, and enable consul to perform underlay-based health checking. Used in conjunction with `docker-compose-zero-trust.yml`. This compose file should be started before starting the `docker-compose-zero-trust.yml` compose file. + + **Make Commands** + + - Use `make openziti` and `make openziti-down` to start and stop the services using this compose file. + - Use `make openziti-clean` to remove all stopped containers, all volumes and all networks used by the EdgeX stack. Use this command when needing to do a fresh restart. **Note** You must _also_ run the corresponding `make zero-trust-clean` command to fully clean up. + - Use `make openziti-logs` to follow the logs + +- **docker-compose-zero-trust.yml** + Contains the services needed to run in zero-trust secure mode. Used in conjunction with `docker-compose-openziti.yml`. Start this compose file after starting OpenZiti. When operating in zero-trust mode, no ports are available other than the OpenZiti ports. Accessing services must be done using an OpenZiti tunneler or through using an OpenZiti SDK. The `go-mod-bootstrap` library has been upgraded to support zero-trust. + + **Make Commands** + + - Use `make zero-trust` and `make zero-trust-down` to start and stop the services using this compose file. + - Use `make zero-trust-clean` to remove all stopped containers, all volumes and all networks used by the EdgeX stack. Use this command when needing to do a fresh restart. **Note** You must _also_ run the corresponding `make openziti-clean` command to fully clean up. + - Use `make openziti-logs` to follow the logs + ### TAF Compose files The compose files under the `taf` subfolder are used for the automated TAF tests. These compose files are also generated from `Compose Builder` when the `make build` command is used. diff --git a/compose-builder/.gitignore b/compose-builder/.gitignore index d2b4a1c3..ada9106c 100644 --- a/compose-builder/.gitignore +++ b/compose-builder/.gitignore @@ -2,4 +2,5 @@ docker-compose.yml # staging directory is generated by the shell script gen_secure_compose_ext.sh gen_ext_scty/ +gen_ext_compose res/ diff --git a/compose-builder/Makefile b/compose-builder/Makefile index cb84397c..b32e48b9 100644 --- a/compose-builder/Makefile +++ b/compose-builder/Makefile @@ -24,7 +24,7 @@ include .env include common-security.env # This tool now only supports compose V2, aka "docker compose" as it has replaced to old docker-compose tool. -DOCKER_COMPOSE=docker compose +DOCKER_COMPOSE?=docker compose GEN_COMMAND=convert COMPOSE_FILES:=-f docker-compose-base.yml @@ -48,7 +48,7 @@ define OPTIONS - ds-onvif-camera ds-usb-camera ds-bacnet-ip ds-bacnet-mstp ds-modbus ds-mqtt ds-rest ds-snmp ds-virtual ds-llrp - - ds-coap ds-gpio ds-uart ds-s7 - - asc-http asc-mqtt asc-sample asc-metrics as-llrp as-record-replay asc-ex-mqtt - - - modbus-sim - + - modbus-sim zero-trust no-cleanup - endef export OPTIONS @@ -63,6 +63,17 @@ ifeq (nats-bus, $(filter nats-bus,$(ARGS))) ARGS:=$(ARGS) dev app-dev device-dev endif +ifeq (zero-trust, $(filter zero-trust,$(ARGS))) + MAKE_ZERO_TRUST:=1 +else + MAKE_ZERO_TRUST:=0 +endif +ifeq (no-cleanup, $(filter no-cleanup,$(ARGS))) + NO_CLEANUP:=1 +else + NO_CLEANUP:=0 +endif + ifeq (dev, $(filter dev,$(ARGS))) export CORE_EDGEX_REPOSITORY=edgexfoundry export CORE_EDGEX_VERSION=0.0.0-dev @@ -108,8 +119,8 @@ endif # When in delay-start mode, we have to make sure support serivces be delayed-start-compliant: i.e. the runtime-token configuration be added etc.. ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file_sup_notif:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh support-notifications) - ext_file_sup_sch:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh support-scheduler) + ext_file_sup_notif:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh support-notifications) + ext_file_sup_sch:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh support-scheduler) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file_sup_notif) -f $(ext_file_sup_sch) endif @@ -133,11 +144,11 @@ ifeq (ds-onvif-camera, $(filter ds-onvif-camera,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-onvif-camera) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-onvif-camera) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-onvif-camera) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-onvif-camera) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -161,11 +172,11 @@ ifeq (ds-usb-camera, $(filter ds-usb-camera,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-usb-camera device-usb-camera docker-entrypoint.sh) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-usb-camera device-usb-camera docker-entrypoint.sh) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-usb-camera device-usb-camera docker-entrypoint.sh) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-usb-camera device-usb-camera docker-entrypoint.sh) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -189,12 +200,12 @@ ifeq (ds-bacnet-ip, $(filter ds-bacnet-ip,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-bacnet-ip device-bacnet-ip device-bacnet-ip/device-bacnet-c " -cp=consul://edgex-core-consul:8500 --registry") + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-bacnet-ip device-bacnet-ip device-bacnet-ip/device-bacnet-c " -cp=consul://edgex-core-consul:8500 --registry") COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-bacnet-ip) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-bacnet-ip) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -218,12 +229,12 @@ ifeq (ds-bacnet-mstp, $(filter ds-bacnet-mstp,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-bacnet-mstp device-bacnet-mstp device-bacnet-mstp/device-bacnet-c " -cp=consul://edgex-core-consul:8500 --registry") + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-bacnet-mstp device-bacnet-mstp device-bacnet-mstp/device-bacnet-c " -cp=consul://edgex-core-consul:8500 --registry") COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-bacnet-mstp) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-bacnet-mstp) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -247,11 +258,11 @@ ifeq (ds-modbus, $(filter ds-modbus,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-modbus) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-modbus) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-modbus) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-modbus) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -284,11 +295,11 @@ ifeq (ds-mqtt, $(filter ds-mqtt,$(ARGS))) else IS_MQTT_BUS:=0 endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh device-mqtt) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh device-mqtt) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-mqtt) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-mqtt) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -308,11 +319,11 @@ ifeq (ds-rest, $(filter ds-rest,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-rest) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-rest) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -336,11 +347,11 @@ ifeq (ds-snmp, $(filter ds-snmp,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-snmp device-snmp device-snmp) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-snmp device-snmp device-snmp) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-snmp) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-snmp) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -355,11 +366,11 @@ ifeq (ds-virtual, $(filter ds-virtual,$(ARGS))) KNOWN_SECRETS_LIST:=$(KNOWN_SECRETS_LIST),redisdb[device-virtual],message-bus[device-virtual] endif # Device-virtual's proxy is created by default, so not setting EXTRA_PROXY_ROUTE_LIST - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-virtual) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-virtual) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -383,11 +394,11 @@ ifeq (ds-llrp, $(filter ds-llrp,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rfid-llrp) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rfid-llrp) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-rfid-llrp) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-rfid-llrp) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -411,11 +422,11 @@ ifeq (ds-coap, $(filter ds-coap,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-coap) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-coap) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-coap) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-coap) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -439,11 +450,11 @@ ifeq (ds-gpio, $(filter ds-gpio,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-gpio) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-gpio) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-gpio) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-gpio) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -467,11 +478,11 @@ ifeq (ds-uart, $(filter ds-uart,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-uart) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-uart) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-uart) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-uart) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -495,11 +506,11 @@ ifeq (ds-s7, $(filter ds-s7,$(ARGS))) else EXTRA_PROXY_ROUTE_LIST:=$(EXTRA_PROXY_ROUTE_LIST),$(PROXY_ROUTE) endif - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-s7) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-s7) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-s7) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh device-s7) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -531,12 +542,12 @@ ifeq (asc-http, $(filter asc-http,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-http-export \ + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-http-export \ app-http-export app-service-configurable) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-http-export) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-http-export) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -567,12 +578,12 @@ ifeq (asc-mqtt, $(filter asc-mqtt,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-mqtt-export \ + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-mqtt-export \ app-mqtt-export app-service-configurable) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-mqtt-export) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-mqtt-export) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -599,12 +610,12 @@ ifeq (asc-sample, $(filter asc-sample,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-sample \ + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-sample \ app-sample app-service-configurable) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-sample) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-sample) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -631,12 +642,12 @@ ifeq (asc-metrics, $(filter asc-metrics,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-metrics-influxdb \ + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-metrics-influxdb \ app-metrics-influxdb app-service-configurable) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-metrics-influxdb) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-metrics-influxdb) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -662,11 +673,11 @@ ifeq (as-llrp, $(filter as-llrp,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-rfid-llrp-inventory) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-rfid-llrp-inventory) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-rfid-llrp-inventory) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-rfid-llrp-inventory) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -692,11 +703,11 @@ ifeq (as-record-replay, $(filter as-record-replay,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-record-replay) + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-record-replay) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-record-replay) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-record-replay) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -728,12 +739,12 @@ ifeq (asc-ex-mqtt, $(filter asc-ex-mqtt,$(ARGS))) endif # when no security mode (no-secty) not explicitly specified, # then we also need to add the secure version on top of base yml by default. - extension_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-external-mqtt-trigger \ + extension_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-external-mqtt-trigger \ app-external-mqtt-trigger app-service-configurable) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(extension_file) # add runtime token config for delayed-start if specified ifeq (delayed-start, $(filter delayed-start,$(ARGS))) - ext_file:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-external-mqtt-trigger) + ext_file:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_runtime_token_config_compose_ext.sh app-external-mqtt-trigger) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ext_file) endif endif @@ -833,24 +844,24 @@ ifeq (taf-secty, $(filter taf-secty,$(ARGS))) IS_MQTT_BUS:=0 endif - asc_http_export_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-http-export \ + asc_http_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-http-export \ app-http-export app-service-configurable) - asc_mqtt_export_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-mqtt-export \ + asc_mqtt_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-mqtt-export \ app-mqtt-export app-service-configurable) - scalability_mqtt_export_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-scalability-test-mqtt-export \ + scalability_mqtt_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-scalability-test-mqtt-export \ app-scalability-test-mqtt-export app-service-configurable) - asc_external_mqtt_trigger_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-external-mqtt-trigger \ + asc_external_mqtt_trigger_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="$(IS_MQTT_BUS)" ./gen_secure_compose_ext.sh app-external-mqtt-trigger \ app-external-mqtt-trigger app-service-configurable) - asc_sample_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-sample \ + asc_sample_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-sample \ app-sample app-service-configurable) - ds_rest_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) + ds_rest_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) # taf has its special place holder from taf-device-services-mods and thus we need to keep it # and extend security related things on top of it - ds_virtual_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual \ + ds_virtual_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual \ device-virtual device-virtual ' -cp=consul.http:\/\/edgex-core-consul:8500 --registry --configDir=CONFIG_DIR_PLACE_HOLDER') - ds_modbus_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-modbus \ + ds_modbus_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-modbus \ device-modbus device-modbus ' -cp=consul.http:\/\/edgex-core-consul:8500 --registry --configDir=CONFIG_DIR_PLACE_HOLDER') - ds_camera_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-onvif-camera) + ds_camera_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-onvif-camera) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(asc_http_export_ext) -f $(asc_mqtt_export_ext) -f $(asc_external_mqtt_trigger_ext) -f $(scalability_mqtt_export_ext) -f $(asc_sample_ext) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(ds_virtual_ext) -f $(ds_rest_ext) -f $(ds_modbus_ext) -f $(ds_camera_ext) else @@ -904,10 +915,10 @@ else -f add-mqtt-broker-mosquitto.yml \ -f add-taf-mqtt-broker-mosquitto.yml \ -f add-delayed-start-services.yml - asc_mqtt_export_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="0" ./gen_secure_compose_ext.sh app-mqtt-export \ + asc_mqtt_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="0" ./gen_secure_compose_ext.sh app-mqtt-export \ app-mqtt-export app-service-configurable) - ds_virtual_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual) - ds_rest_ext:= $(shell GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) + ds_virtual_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-virtual) + ds_rest_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh device-rest) COMPOSE_FILES:=$(COMPOSE_FILES) -f $(asc_mqtt_export_ext) -f $(ds_virtual_ext) -f $(ds_rest_ext) else # Build compose for TAF non-secure performance testing (ignore all other compose file options) @@ -962,7 +973,6 @@ define COMPOSE_DOWN -f add-app-record-replay.yml \ -f add-modbus-simulator.yml \ -f add-mqtt-broker-mosquitto.yml \ - -f add-mqtt-broker-nanomq.yml \ -f add-secure-mqtt-broker.yml \ -f add-mqtt-messagebus.yml \ -f add-secure-mqtt-messagebus.yml \ @@ -974,6 +984,13 @@ define COMPOSE_DOWN down $1 endef +ifeq (zero-trust, $(filter zero-trust,$(ARGS))) + # overrides for zero trust from the base files + COMPOSE_FILES:=$(COMPOSE_FILES) -f add-security-zero-trust.yml +endif + +docker_ver:= $(shell ${DOCKER_COMPOSE} version) + # Define additional phony targets for all options to enable support for tab-completion in shell # Note: This must be defined after the options are parsed otherwise it will interfere with them .PHONY: $(OPTIONS) @@ -1034,8 +1051,8 @@ pull: gen gen: echo MQTT_VERBOSE=${MQTT_VERBOSE} - ${DOCKER_COMPOSE} -p edgex $(COMPOSE_FILES) ${GEN_COMMAND} > docker-compose.yml - rm -rf ./$(GEN_EXT_DIR) + ${DOCKER_COMPOSE} -p edgex $(COMPOSE_FILES) ${GEN_COMMAND} --output docker-compose.yml + if [ "$(NO_CLEANUP)" = "0" ]; then rm -rf ./$(GEN_EXT_DIR); fi get-token: sh ./get-api-gateway-token.sh diff --git a/compose-builder/README.md b/compose-builder/README.md index 6246f2f0..a40e9c13 100644 --- a/compose-builder/README.md +++ b/compose-builder/README.md @@ -10,7 +10,10 @@ This folder contains the `Compose Builder` which is made up of **source** compos ### Compose CLI Command -The Makefile in this folder expects the `docker compose` CLI command. +The Makefile in this folder expects the `docker compose` CLI command to be on the path or it expects you to supply +a valid `docker compose` command by setting `DOCKER_COMPOSE`. The version of `docker compose` must be equal or greater +than `Docker Compose version v2.24.4`. + The old stand-alone `docker-compose` tool is no longer supported. See https://docs.docker.com/compose/install/ for installation details for the latest `docker compose` CLI command. @@ -191,6 +194,7 @@ Standard compose variations are: run [options] [services] Runs the EdgeX services as specified by: Options: + zero-trust: Runs with OpenZiti support for zero-trust networking no-secty: Runs in Non-Secure Mode, otherwise runs in Secure Mode arm64: Runs using ARM64 images dev: Runs using local built images from edgex-go repo @@ -234,6 +238,7 @@ Options: Not valid in secure mode when uses with mqtt-bus nats-bus: Runs with services configure for NATS Message Bus The NATS Server service is also included. + no-cleanup: Leaves generated files behind for debugging purposes. Services: : Runs only services listed (and their dependent services) where 'name' matches a service name in one of the compose files used ``` @@ -257,6 +262,7 @@ Stops all EdgeX services no matter which configuration started them pull [options] [services] Pulls the EdgeX service images as specified by: Options: + zero-trust: Pulls images for OpenZiti, supporting zero-trust networking no-secty: Pulls images for Non-Secure Mode, otherwise pull images for Secure Mode arm64: Pulls ARM64 version of images @@ -290,6 +296,7 @@ Options: Pull includes NonoMQ MQTT broker when mqtt-broker or mqtt-bus are specified Not valid in secure mode when uses with mqtt-bus nats-bus: Pull includes additional services for NATS Message Bus + no-cleanup: Leaves generated files behind for debugging purposes. Services: : Pulls only images for the service(s) listed @@ -300,6 +307,7 @@ Services: gen [options] Generates temporary single file compose file (`docker-compose.yml`) as specified by: Options: + zero-trust: Generates with OpenZiti support for zero-trust networking included no-secty: Generates non-secure compose, otherwise generates secure compose file arm64: Generates compose file using ARM64 images @@ -344,6 +352,7 @@ Options: Not valid in secure mode when uses with mqtt-bus nats-bus: Generates compose file with services configured for NAT Message Bus The NATS Server service is also included. + no-cleanup: Leaves generated files behind for debugging purposes. ``` #### Clean @@ -411,6 +420,7 @@ compose [options] Generates the EdgeX compose file as specified by options and stores them in the configured release folder. Compose files are named appropriately for release and options used to generate them. Options: + zero-trust: Generates compose file with OpenZiti support for zero-trust networking included no-secty: Generates non-secure compose file, otherwise generates secure compose file arm64: Generates compose file using ARM64 images dev: Generates using local built images from edgex-go repo @@ -454,6 +464,7 @@ Options: mqtt-verbose Enables MQTT Broker verbose logging. nats-bus: Generates compose file with services configure for NATS Message Bus The NATS Server service is also included. + no-cleanup: Leaves generated files behind for debugging purposes. ``` #### TAF Compose diff --git a/compose-builder/add-security-zero-trust.yml b/compose-builder/add-security-zero-trust.yml new file mode 100644 index 00000000..77009d1d --- /dev/null +++ b/compose-builder/add-security-zero-trust.yml @@ -0,0 +1,97 @@ +name: edgex +services: + app-rules-engine: + environment: + SERVICE_HOST: app-rules-engine.edgex.ziti + SERVICE_PORT: 80 + ports: !reset null + core-command: + environment: + SERVICE_HOST: core-command.edgex.ziti + SERVICE_PORT: 80 + CLIENTS_CORE_METADATA_HOST: "core-metadata.edgex.ziti" + CLIENTS_CORE_METADATA_PORT: 80 + CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: "zerotrust" + ports: !reset null + core-common-config-bootstrapper: + environment: + ALL_SERVICES_SERVICE_SECURITYOPTIONS_MODE: "zerotrust" + APP_SERVICES_CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + APP_SERVICES_CLIENTS_CORE_METADATA_PORT: 80 + APP_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: "zerotrust" + DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: core-metadata.edgex.ziti + DEVICE_SERVICES_CLIENTS_CORE_METADATA_PORT: 80 + DEVICE_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: "zerotrust" + ports: !reset null + core-data: + environment: + SERVICE_HOST: core-data.edgex.ziti + SERVICE_PORT: 80 + ports: !reset null + core-metadata: + environment: + SERVICE_HOST: core-metadata.edgex.ziti + SERVICE_PORT: "80" + ports: !reset null + rules-engine: + environment: + EDGEX_CREDENTIAL_NAME: rules-engine + EDGEX_CREDENTIALS: /tmp/edgex/secrets/rules-engine/secrets-token.json + OPENZITI_CONTROLLER: openziti:1280 + ports: !reset null + volumes: + - edgex-init:/edgex-init + - /tmp/edgex/secrets/rules-engine:/tmp/edgex/secrets/rules-engine:ro,z + support-notifications: + environment: + SERVICE_HOST: support-notifications.edgex.ziti + SERVICE_PORT: 80 + ports: !reset null + support-scheduler: + environment: + SERVICE_HOST: support-scheduler.edgex.ziti + SERVICE_PORT: 80 + ports: !reset null + ui: + command: + - "./edgex-ui-server" + - "--configDir=res/docker" + container_name: edgex-ui-go + depends_on: + consul: + condition: service_started + core-common-config-bootstrapper: + condition: service_started + core-metadata: + condition: service_started + security-bootstrapper: + condition: service_started + env_file: + - common-security.env + - common-sec-stage-gate.env + environment: + SERVICE_HOST: edgex-ui-go + CLIENTS_CORE_COMMAND_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_CORE_COMMAND_HOST: "core-command.edgex.ziti" + CLIENTS_CORE_COMMAND_PORT: 80 + CLIENTS_CORE_DATA_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_CORE_DATA_HOST: "core-data.edgex.ziti" + CLIENTS_CORE_DATA_PORT: 80 + CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_CORE_METADATA_HOST: "core-metadata.edgex.ziti" + CLIENTS_CORE_METADATA_PORT: 80 + CLIENTS_RULES_ENGINE_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_RULES_ENGINE_HOST: "rules-engine.edgex.ziti" + CLIENTS_RULES_ENGINE_PORT: 80 + CLIENTS_SUPPORT_NOTIFICATIONS_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: "support-notifications.edgex.ziti" + CLIENTS_SUPPORT_NOTIFICATIONS_PORT: 80 + CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: "zerotrust" + CLIENTS_SUPPORT_SCHEDULER_HOST: "support-scheduler.edgex.ziti" + CLIENTS_SUPPORT_SCHEDULER_PORT: 80 + VAULT_ADDR: http://edgex-vault:8200 + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + volumes: + - edgex-init:/edgex-init + - /tmp/edgex/secrets/ui:/tmp/edgex/secrets/ui:ro,z diff --git a/compose-builder/add-service-secure-template.yml b/compose-builder/add-service-secure-template.yml index fcf36368..e6d6f186 100644 --- a/compose-builder/add-service-secure-template.yml +++ b/compose-builder/add-service-secure-template.yml @@ -25,9 +25,9 @@ services: environment: EDGEX_ADD_REGISTRY_ACL_ROLES: ${TOKEN_LIST} - security-proxy-setup: - environment: - EDGEX_ADD_PROXY_ROUTE: ${EXTRA_PROXY_ROUTE_LIST} + ${ZERO_TRUST}security-proxy-setup: + ${ZERO_TRUST} environment: + ${ZERO_TRUST} EDGEX_ADD_PROXY_ROUTE: ${EXTRA_PROXY_ROUTE_LIST} ${SERVICE_NAME}: entrypoint: [${SHELL_OVERRIDE} "/edgex-init/ready_to_run_wait_install.sh"] diff --git a/compose-builder/gen_secure_compose_ext.sh b/compose-builder/gen_secure_compose_ext.sh index 42ea322f..dbde5d3e 100755 --- a/compose-builder/gen_secure_compose_ext.sh +++ b/compose-builder/gen_secure_compose_ext.sh @@ -47,10 +47,24 @@ mkdir -p "$GEN_EXT_DIR" ADD_SERVICE_SECURE_FILE_TEMPLATE="add-service-secure-template.yml" -SERVICE_EXT_COMPOSE_PATH=./"$GEN_EXT_DIR"/add-"$service_name"-secure.yml +SERVICE_EXT_COMPOSE_PATH="./${GEN_EXT_DIR}/add-${service_name}-secure.yml" sed 's/${SERVICE_NAME}:/'"$service_name"':/g' "$ADD_SERVICE_SECURE_FILE_TEMPLATE" > "$SERVICE_EXT_COMPOSE_PATH" sed -i 's/${SERVICE_KEY}/'"$service_key"'/g' "$SERVICE_EXT_COMPOSE_PATH" sed -i 's,${EXECUTABLE},'"$executable"',g' "$SERVICE_EXT_COMPOSE_PATH" +if [ "$ZERO_TRUST" = "1" ]; then + sed -i 's,${ZERO_TRUST},#,g' "$SERVICE_EXT_COMPOSE_PATH" + cat >> "$SERVICE_EXT_COMPOSE_PATH" <