diff --git a/compose-builder/.env b/compose-builder/.env index fef651a1..f90416c3 100644 --- a/compose-builder/.env +++ b/compose-builder/.env @@ -60,8 +60,8 @@ WRITABLE_INSECURESECRETS_DB_SECRETDATA_USERNAME= WRITABLE_INSECURESECRETS_DB_SECRETDATA_PASSWORD= COMMON_SEC_STAGE_GATE_FILE_NAME=common-sec-stage-gate.env -# Lock on Vault 1.14 (last MPL-2.0 version) -VAULT_VERSION=1.14 +# Lock on OpenBao 2.0 (last MPL-2.0 version) +BAO_VERSION=2.0 # Lock on Consul 1.16 (last MPL-2.0 version) CONSUL_VERSION=1.16 # Lock on Redis 7.0 until EdgeX 4.0 diff --git a/compose-builder/Makefile b/compose-builder/Makefile index e86fbede..1a79cde4 100644 --- a/compose-builder/Makefile +++ b/compose-builder/Makefile @@ -43,7 +43,7 @@ export USERID:=$(shell id -u) # Set default rootful docker socket path export DOCKER_SOCKET_PATH=/var/run/docker.sock -# Get total system memory in megabytes for vault config +# Get total system memory in megabytes for secret store config export TOTAL_SYSTEM_MEMORY:=$(shell grep MemTotal /proc/meminfo | awk '{print $$2}')m BROKER_YAML=add-mqtt-broker-mosquitto.yml diff --git a/compose-builder/add-secure-consul.yml b/compose-builder/add-secure-consul.yml index cfb50da9..c2a518af 100644 --- a/compose-builder/add-secure-consul.yml +++ b/compose-builder/add-secure-consul.yml @@ -41,4 +41,4 @@ services: - consul-acl-token:/tmp/edgex/secrets/consul-acl-token depends_on: - security-bootstrapper - - vault + - secret-store diff --git a/compose-builder/add-security-postgres.yml b/compose-builder/add-security-postgres.yml index d482aed2..a3794eee 100644 --- a/compose-builder/add-security-postgres.yml +++ b/compose-builder/add-security-postgres.yml @@ -18,9 +18,9 @@ volumes: edgex-init: - vault-config: - vault-file: - vault-logs: + secret-store-config: + secret-store-file: + secret-store-logs: services: security-bootstrapper: @@ -72,24 +72,24 @@ services: - edgex-network tmpfs: - /run - - /vault + - /openbao volumes: # use host timezone - /etc/localtime:/etc/localtime:ro - edgex-init:/edgex-init:ro - - vault-config:/vault/config + - secret-store-config:/openbao/config - /tmp/edgex/secrets:/tmp/edgex/secrets:z depends_on: - security-bootstrapper - - vault + - secret-store security_opt: - no-new-privileges:true - vault: - image: hashicorp/vault:${VAULT_VERSION} - user: "root:root" # Note that Vault is run under the 'vault' user, but entry point scripts need to first run as root - container_name: edgex-vault - hostname: edgex-vault + secret-store: + image: openbao/openbao:${BAO_VERSION} + user: "root:root" # Note that OpenBao is run under the 'openbao' user, but entry point scripts need to first run as root + container_name: edgex-secret-store + hostname: edgex-secret-store networks: - edgex-network ports: @@ -100,32 +100,31 @@ services: memory: "${TOTAL_SYSTEM_MEMORY}" memswap_limit: "${TOTAL_SYSTEM_MEMORY}" tmpfs: - - /vault/config - entrypoint: [ "/edgex-init/vault_wait_install.sh" ] + - /openbao/config + entrypoint: [ "/edgex-init/secretstore_wait_install.sh" ] env_file: - common-sec-stage-gate-postgres.env command: server environment: - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_UI: "true" + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config SKIP_SETCAP: "true" - VAULT_LOCAL_CONFIG: | + BAO_LOCAL_CONFIG: | listener "tcp" { - address = "edgex-vault:8200" + address = "edgex-secret-store:8200" tls_disable = "1" - cluster_address = "edgex-vault:8201" + cluster_address = "edgex-secret-store:8201" } backend "file" { - path = "/vault/file" + path = "/openbao/file" } default_lease_ttl = "168h" max_lease_ttl = "720h" disable_mlock = true volumes: - edgex-init:/edgex-init:ro - - vault-file:/vault/file - - vault-logs:/vault/logs + - secret-store-file:/openbao/file + - secret-store-logs:/openbao/logs depends_on: - security-bootstrapper restart: always diff --git a/compose-builder/add-security-proxy.yml b/compose-builder/add-security-proxy.yml index b8de2ec1..6d76be30 100644 --- a/compose-builder/add-security-proxy.yml +++ b/compose-builder/add-security-proxy.yml @@ -71,7 +71,7 @@ services: # use host timezone - /etc/localtime:/etc/localtime:ro - edgex-init:/edgex-init:ro - - vault-config:/vault/config + - secret-store-config:/openbao/config - nginx-templates:/etc/nginx/templates - nginx-tls:/etc/ssl/nginx - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z diff --git a/compose-builder/add-security-zero-trust.yml b/compose-builder/add-security-zero-trust.yml index ba655830..87f9717a 100644 --- a/compose-builder/add-security-zero-trust.yml +++ b/compose-builder/add-security-zero-trust.yml @@ -86,7 +86,7 @@ services: CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: "zerotrust" CLIENTS_SUPPORT_SCHEDULER_HOST: "support-scheduler.edgex.ziti" CLIENTS_SUPPORT_SCHEDULER_PORT: 80 - VAULT_ADDR: http://edgex-vault:8200 + BAO_ADDR: http://edgex-secret-store:8200 entrypoint: - /edgex-init/ready_to_run_wait_install.sh volumes: diff --git a/compose-builder/add-security.yml b/compose-builder/add-security.yml index 7c303403..49214350 100644 --- a/compose-builder/add-security.yml +++ b/compose-builder/add-security.yml @@ -15,9 +15,9 @@ volumes: edgex-init: - vault-config: - vault-file: - vault-logs: + secret-store-config: + secret-store-file: + secret-store-logs: # non-shared volumes redis-config: @@ -82,24 +82,24 @@ services: - edgex-network tmpfs: - /run - - /vault + - /openbao volumes: # use host timezone - /etc/localtime:/etc/localtime:ro - edgex-init:/edgex-init:ro - - vault-config:/vault/config + - secret-store-config:/openbao/config - /tmp/edgex/secrets:/tmp/edgex/secrets:z depends_on: - security-bootstrapper - - vault + - secret-store security_opt: - no-new-privileges:true - vault: - image: hashicorp/vault:${VAULT_VERSION} - user: "root:root" # Note that Vault is run under the 'vault' user, but entry point scripts need to first run as root - container_name: edgex-vault - hostname: edgex-vault + secret-store: + image: openbao/openbao:${BAO_VERSION} + user: "root:root" # Note that OpenBao is run under the 'openbao' user, but entry point scripts need to first run as root + container_name: edgex-secret-store + hostname: edgex-secret-store networks: - edgex-network ports: @@ -110,32 +110,31 @@ services: memory: "${TOTAL_SYSTEM_MEMORY}" memswap_limit: "${TOTAL_SYSTEM_MEMORY}" tmpfs: - - /vault/config - entrypoint: [ "/edgex-init/vault_wait_install.sh" ] + - /openbao/config + entrypoint: [ "/edgex-init/secretstore_wait_install.sh" ] env_file: - common-sec-stage-gate.env command: server environment: - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_UI: "true" + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config SKIP_SETCAP: "true" - VAULT_LOCAL_CONFIG: | + BAO_LOCAL_CONFIG: | listener "tcp" { - address = "edgex-vault:8200" + address = "edgex-secret-store:8200" tls_disable = "1" - cluster_address = "edgex-vault:8201" + cluster_address = "edgex-secret-store:8201" } backend "file" { - path = "/vault/file" + path = "/openbao/file" } default_lease_ttl = "168h" max_lease_ttl = "720h" disable_mlock = true volumes: - edgex-init:/edgex-init:ro - - vault-file:/vault/file - - vault-logs:/vault/logs + - secret-store-file:/openbao/file + - secret-store-logs:/openbao/logs depends_on: - security-bootstrapper restart: always diff --git a/compose-builder/common-security.env b/compose-builder/common-security.env index ba993b89..08d1e0ec 100644 --- a/compose-builder/common-security.env +++ b/compose-builder/common-security.env @@ -17,4 +17,4 @@ # EDGEX_SECURITY_SECRET_STORE=true -SECRETSTORE_HOST=edgex-vault \ No newline at end of file +SECRETSTORE_HOST=edgex-secret-store \ No newline at end of file diff --git a/compose-builder/get-api-gateway-token.sh b/compose-builder/get-api-gateway-token.sh index e3a0678a..24fe75d2 100755 --- a/compose-builder/get-api-gateway-token.sh +++ b/compose-builder/get-api-gateway-token.sh @@ -20,11 +20,11 @@ docker exec -ti edgex-security-proxy-setup ./secrets-config proxy deluser --user # Create new user, log in, and exchange for JWT password=$(docker exec -ti edgex-security-proxy-setup ./secrets-config proxy adduser --user "${username}" --useRootToken | jq -r '.password') -vault_token=$(curl -ks "http://localhost:8200/v1/auth/userpass/login/${username}" -d "{\"password\":\"${password}\"}" | jq -r '.auth.client_token') -id_token=$(curl -ks -H "Authorization: Bearer ${vault_token}" "http://localhost:8200/v1/identity/oidc/token/${username}" | jq -r '.data.token') +secret_store_token=$(curl -ks "http://localhost:8200/v1/auth/userpass/login/${username}" -d "{\"password\":\"${password}\"}" | jq -r '.auth.client_token') +id_token=$(curl -ks -H "Authorization: Bearer ${secret_store_token}" "http://localhost:8200/v1/identity/oidc/token/${username}" | jq -r '.data.token') # Check that we got sane output from the previous commands before coughing up the token -introspect_result=$(curl -ks -H "Authorization: Bearer ${vault_token}" "http://localhost:8200/v1/identity/oidc/introspect" -d "{\"token\":\"${id_token}\"}" | jq -r '.active') +introspect_result=$(curl -ks -H "Authorization: Bearer ${secret_store_token}" "http://localhost:8200/v1/identity/oidc/introspect" -d "{\"token\":\"${id_token}\"}" | jq -r '.active') if [ "${introspect_result}" = "true" ]; then echo "${id_token}" exit 0 diff --git a/docker-compose-arm64.yml b/docker-compose-arm64.yml index 3aa92642..a143f372 100644 --- a/docker-compose-arm64.yml +++ b/docker-compose-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -111,10 +111,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -125,7 +125,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -213,7 +213,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -291,7 +291,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -360,7 +360,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -434,7 +434,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -499,7 +499,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -578,7 +578,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -654,7 +654,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -856,6 +856,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -915,7 +977,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -978,7 +1040,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1014,8 +1076,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1040,10 +1102,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1053,7 +1115,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1078,7 +1140,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1093,8 +1155,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1138,7 +1200,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1217,7 +1279,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1292,69 +1354,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1388,9 +1387,9 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/docker-compose-no-secty-arm64.yml b/docker-compose-no-secty-arm64.yml index a0a88c85..bfc308f6 100644 --- a/docker-compose-no-secty-arm64.yml +++ b/docker-compose-no-secty-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: diff --git a/docker-compose-no-secty-with-app-sample-arm64.yml b/docker-compose-no-secty-with-app-sample-arm64.yml index 3e6d014b..36bb0938 100644 --- a/docker-compose-no-secty-with-app-sample-arm64.yml +++ b/docker-compose-no-secty-with-app-sample-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: diff --git a/docker-compose-no-secty-with-app-sample.yml b/docker-compose-no-secty-with-app-sample.yml index ac30267d..cc925af6 100644 --- a/docker-compose-no-secty-with-app-sample.yml +++ b/docker-compose-no-secty-with-app-sample.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: diff --git a/docker-compose-no-secty.yml b/docker-compose-no-secty.yml index 5c29d492..d0f34701 100644 --- a/docker-compose-no-secty.yml +++ b/docker-compose-no-secty.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: diff --git a/docker-compose-with-app-sample-arm64.yml b/docker-compose-with-app-sample-arm64.yml index 1e19f3f9..bfd5545f 100644 --- a/docker-compose-with-app-sample-arm64.yml +++ b/docker-compose-with-app-sample-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -129,7 +129,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -188,10 +188,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -202,7 +202,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -290,7 +290,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -368,7 +368,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -437,7 +437,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -511,7 +511,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -576,7 +576,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -655,7 +655,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -731,7 +731,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -933,6 +933,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -992,7 +1054,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1055,7 +1117,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986,app-sample.http://edgex-app-sample:59700 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1091,8 +1153,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1117,10 +1179,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1130,7 +1192,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1155,7 +1217,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1170,8 +1232,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1215,7 +1277,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1294,7 +1356,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1369,69 +1431,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1465,9 +1464,9 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/docker-compose-with-app-sample.yml b/docker-compose-with-app-sample.yml index 26713ffb..1acbd893 100644 --- a/docker-compose-with-app-sample.yml +++ b/docker-compose-with-app-sample.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -129,7 +129,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -188,10 +188,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -202,7 +202,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -290,7 +290,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -368,7 +368,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -437,7 +437,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -511,7 +511,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -576,7 +576,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -655,7 +655,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -731,7 +731,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -933,6 +933,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -992,7 +1054,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1055,7 +1117,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986,app-sample.http://edgex-app-sample:59700 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1091,8 +1153,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1117,10 +1179,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1130,7 +1192,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1155,7 +1217,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1170,8 +1232,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1215,7 +1277,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1294,7 +1356,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1369,69 +1431,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1465,9 +1464,9 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/docker-compose-zero-trust-arm64.yml b/docker-compose-zero-trust-arm64.yml index a9a512a1..30eac3a3 100644 --- a/docker-compose-zero-trust-arm64.yml +++ b/docker-compose-zero-trust-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: app-rules-engine.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -106,10 +106,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -120,7 +120,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -211,7 +211,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-command.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -289,7 +289,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -358,7 +358,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-data.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -427,7 +427,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-metadata.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -487,7 +487,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -566,7 +566,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: device-rest.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -637,7 +637,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: device-virtual.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -776,6 +776,68 @@ services: bind: selinux: z create_host_path: true + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -818,10 +880,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -831,7 +893,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -856,7 +918,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -871,8 +933,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -916,7 +978,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: support-notifications.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -990,7 +1052,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: support-scheduler.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1055,6 +1117,7 @@ services: entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: + BAO_ADDR: http://edgex-secret-store:8200 CLIENTS_CORE_COMMAND_HOST: core-command.edgex.ziti CLIENTS_CORE_COMMAND_PORT: "80" CLIENTS_CORE_COMMAND_SECURITYOPTIONS_MODE: zerotrust @@ -1075,7 +1138,7 @@ services: CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: zerotrust EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-ui-go STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1090,7 +1153,6 @@ services: STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 hostname: edgex-ui-go image: nexus3.edgexfoundry.org:10004/edgex-ui-arm64:latest networks: @@ -1123,69 +1185,6 @@ services: bind: selinux: z create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1215,9 +1214,9 @@ volumes: name: edgex_kuiper-sources redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/docker-compose-zero-trust.yml b/docker-compose-zero-trust.yml index 78b1c5e4..7c95bf5f 100644 --- a/docker-compose-zero-trust.yml +++ b/docker-compose-zero-trust.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: app-rules-engine.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -106,10 +106,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -120,7 +120,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -211,7 +211,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-command.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -289,7 +289,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_SECURITYOPTIONS_MODE: zerotrust EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -358,7 +358,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-data.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -427,7 +427,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: core-metadata.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -487,7 +487,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -566,7 +566,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: device-rest.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -637,7 +637,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: device-virtual.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -776,6 +776,68 @@ services: bind: selinux: z create_host_path: true + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -818,10 +880,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -831,7 +893,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -856,7 +918,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -871,8 +933,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -916,7 +978,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: support-notifications.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -990,7 +1052,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: support-scheduler.edgex.ziti SERVICE_PORT: "80" STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -1055,6 +1117,7 @@ services: entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: + BAO_ADDR: http://edgex-secret-store:8200 CLIENTS_CORE_COMMAND_HOST: core-command.edgex.ziti CLIENTS_CORE_COMMAND_PORT: "80" CLIENTS_CORE_COMMAND_SECURITYOPTIONS_MODE: zerotrust @@ -1075,7 +1138,7 @@ services: CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: zerotrust EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-ui-go STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1090,7 +1153,6 @@ services: STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 hostname: edgex-ui-go image: nexus3.edgexfoundry.org:10004/edgex-ui:latest networks: @@ -1123,69 +1185,6 @@ services: bind: selinux: z create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1215,9 +1214,9 @@ volumes: name: edgex_kuiper-sources redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/docker-compose.yml b/docker-compose.yml index 54e673c4..0e41e130 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-rules-engine: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -111,10 +111,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -125,7 +125,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -213,7 +213,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -291,7 +291,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -360,7 +360,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -434,7 +434,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -499,7 +499,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -578,7 +578,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -654,7 +654,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -856,6 +856,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -915,7 +977,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -978,7 +1040,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1014,8 +1076,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1040,10 +1102,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1053,7 +1115,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1078,7 +1140,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1093,8 +1155,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1138,7 +1200,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1217,7 +1279,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1292,69 +1354,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1388,9 +1387,9 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs diff --git a/taf/docker-compose-taf-arm64.yml b/taf/docker-compose-taf-arm64.yml index 00e1caad..f826e34b 100644 --- a/taf/docker-compose-taf-arm64.yml +++ b/taf/docker-compose-taf-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -575,10 +575,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -589,7 +589,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -677,7 +677,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -755,7 +755,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -824,7 +824,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -898,7 +898,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -963,7 +963,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1046,7 +1046,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1128,7 +1128,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1204,7 +1204,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1281,7 +1281,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1362,7 +1362,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1633,6 +1633,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1692,7 +1754,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1755,7 +1817,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1791,8 +1853,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1817,10 +1879,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1830,7 +1892,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1855,7 +1917,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1870,8 +1932,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1908,7 +1970,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1976,7 +2038,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2046,7 +2108,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2101,7 +2163,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2186,7 +2248,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2265,7 +2327,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2340,69 +2402,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2436,15 +2435,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-keeper-arm64.yml b/taf/docker-compose-taf-keeper-arm64.yml index c322fa21..c97ea20a 100644 --- a/taf/docker-compose-taf-keeper-arm64.yml +++ b/taf/docker-compose-taf-keeper-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -596,7 +596,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -674,7 +674,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -743,7 +743,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -817,7 +817,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -882,7 +882,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -965,7 +965,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1047,7 +1047,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1123,7 +1123,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1200,7 +1200,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1281,7 +1281,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1552,6 +1552,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1611,7 +1673,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1674,7 +1736,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1710,8 +1772,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1736,10 +1798,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1749,7 +1811,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1774,7 +1836,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1789,8 +1851,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1827,7 +1889,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1895,7 +1957,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1965,7 +2027,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2020,7 +2082,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2105,7 +2167,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2184,7 +2246,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2259,69 +2321,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2351,15 +2350,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-keeper.yml b/taf/docker-compose-taf-keeper.yml index c5d26a45..500bc641 100644 --- a/taf/docker-compose-taf-keeper.yml +++ b/taf/docker-compose-taf-keeper.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -596,7 +596,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -674,7 +674,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -743,7 +743,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -817,7 +817,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -882,7 +882,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -965,7 +965,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1047,7 +1047,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1123,7 +1123,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1200,7 +1200,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1281,7 +1281,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1552,6 +1552,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1611,7 +1673,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1674,7 +1736,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1710,8 +1772,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1736,10 +1798,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1749,7 +1811,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1774,7 +1836,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1789,8 +1851,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1827,7 +1889,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1895,7 +1957,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1965,7 +2027,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2020,7 +2082,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2105,7 +2167,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2184,7 +2246,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2259,69 +2321,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2351,15 +2350,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus-arm64.yml b/taf/docker-compose-taf-mqtt-bus-arm64.yml index 1ca2dce6..d4705127 100644 --- a/taf/docker-compose-taf-mqtt-bus-arm64.yml +++ b/taf/docker-compose-taf-mqtt-bus-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -577,10 +577,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -591,7 +591,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -679,7 +679,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -762,7 +762,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -831,7 +831,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -905,7 +905,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -970,7 +970,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1053,7 +1053,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1135,7 +1135,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1211,7 +1211,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1288,7 +1288,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1369,7 +1369,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1467,7 +1467,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1698,6 +1698,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1757,7 +1819,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1820,7 +1882,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1856,8 +1918,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1882,10 +1944,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1895,7 +1957,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1920,7 +1982,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1935,8 +1997,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1973,7 +2035,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2041,7 +2103,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2111,7 +2173,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2166,7 +2228,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2251,7 +2313,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2330,7 +2392,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2405,69 +2467,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2503,15 +2502,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus-keeper-arm64.yml b/taf/docker-compose-taf-mqtt-bus-keeper-arm64.yml index 15844d12..0b3c2b63 100644 --- a/taf/docker-compose-taf-mqtt-bus-keeper-arm64.yml +++ b/taf/docker-compose-taf-mqtt-bus-keeper-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -598,7 +598,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -681,7 +681,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -750,7 +750,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -824,7 +824,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -889,7 +889,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -972,7 +972,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1054,7 +1054,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1130,7 +1130,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1207,7 +1207,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1288,7 +1288,7 @@ services: MESSAGEBUS_SECRETNAME: message-bus MESSAGEBUS_TYPE: mqtt PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1386,7 +1386,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1617,6 +1617,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1676,7 +1738,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1739,7 +1801,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1775,8 +1837,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1801,10 +1863,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1814,7 +1876,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1839,7 +1901,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1854,8 +1916,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1892,7 +1954,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1960,7 +2022,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2030,7 +2092,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2085,7 +2147,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2170,7 +2232,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2249,7 +2311,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2324,69 +2386,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2418,15 +2417,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus-keeper-postgres-arm64.yml b/taf/docker-compose-taf-mqtt-bus-keeper-postgres-arm64.yml index c9101590..30ffa238 100644 --- a/taf/docker-compose-taf-mqtt-bus-keeper-postgres-arm64.yml +++ b/taf/docker-compose-taf-mqtt-bus-keeper-postgres-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -598,7 +598,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -686,7 +686,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -757,7 +757,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -833,7 +833,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -900,7 +900,7 @@ services: POSTGRES_DB: edgex_db POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -979,7 +979,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1061,7 +1061,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1137,7 +1137,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1214,7 +1214,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1295,7 +1295,7 @@ services: MESSAGEBUS_SECRETNAME: message-bus MESSAGEBUS_TYPE: mqtt PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1393,7 +1393,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -1620,6 +1620,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-postgres + STAGEGATE_DATABASE_PORT: "5432" + STAGEGATE_DATABASE_READYPORT: "5432" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1683,7 +1745,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1746,7 +1808,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -1782,8 +1844,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1808,10 +1870,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1824,7 +1886,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1849,7 +1911,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1864,8 +1926,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1902,7 +1964,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1970,7 +2032,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2040,7 +2102,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2095,7 +2157,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2180,7 +2242,7 @@ services: DATABASE_HOST: edgex-postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-cron-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2259,7 +2321,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2334,69 +2396,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-postgres - STAGEGATE_DATABASE_PORT: "5432" - STAGEGATE_DATABASE_READYPORT: "5432" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2426,15 +2425,15 @@ volumes: name: edgex_nginx-tls postgres-data: name: edgex_postgres-data + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus-keeper-postgres.yml b/taf/docker-compose-taf-mqtt-bus-keeper-postgres.yml index b965ab7c..28c4e412 100644 --- a/taf/docker-compose-taf-mqtt-bus-keeper-postgres.yml +++ b/taf/docker-compose-taf-mqtt-bus-keeper-postgres.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -598,7 +598,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -686,7 +686,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -757,7 +757,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -833,7 +833,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -900,7 +900,7 @@ services: POSTGRES_DB: edgex_db POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -979,7 +979,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1061,7 +1061,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1137,7 +1137,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1214,7 +1214,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1295,7 +1295,7 @@ services: MESSAGEBUS_SECRETNAME: message-bus MESSAGEBUS_TYPE: mqtt PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1393,7 +1393,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -1620,6 +1620,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-postgres + STAGEGATE_DATABASE_PORT: "5432" + STAGEGATE_DATABASE_READYPORT: "5432" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1683,7 +1745,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1746,7 +1808,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -1782,8 +1844,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1808,10 +1870,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1824,7 +1886,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1849,7 +1911,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1864,8 +1926,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1902,7 +1964,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1970,7 +2032,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2040,7 +2102,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2095,7 +2157,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-postgres @@ -2180,7 +2242,7 @@ services: DATABASE_HOST: edgex-postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-cron-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2259,7 +2321,7 @@ services: DATABASE_TYPE: postgres EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2334,69 +2396,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-postgres - STAGEGATE_DATABASE_PORT: "5432" - STAGEGATE_DATABASE_READYPORT: "5432" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2426,15 +2425,15 @@ volumes: name: edgex_nginx-tls postgres-data: name: edgex_postgres-data + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus-keeper.yml b/taf/docker-compose-taf-mqtt-bus-keeper.yml index 2db657ca..e54192ab 100644 --- a/taf/docker-compose-taf-mqtt-bus-keeper.yml +++ b/taf/docker-compose-taf-mqtt-bus-keeper.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -598,7 +598,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -681,7 +681,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -750,7 +750,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -824,7 +824,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -889,7 +889,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -972,7 +972,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1054,7 +1054,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1130,7 +1130,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1207,7 +1207,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1288,7 +1288,7 @@ services: MESSAGEBUS_SECRETNAME: message-bus MESSAGEBUS_TYPE: mqtt PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1386,7 +1386,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1617,6 +1617,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-keeper + STAGEGATE_REGISTRY_PORT: "59890" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1676,7 +1738,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1739,7 +1801,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1775,8 +1837,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1801,10 +1863,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1814,7 +1876,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1839,7 +1901,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1854,8 +1916,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1892,7 +1954,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1960,7 +2022,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2030,7 +2092,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2085,7 +2147,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2170,7 +2232,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2249,7 +2311,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2324,69 +2386,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-keeper - STAGEGATE_REGISTRY_PORT: "59890" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2418,15 +2417,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-mqtt-bus.yml b/taf/docker-compose-taf-mqtt-bus.yml index abf41d46..c1a6ffcc 100644 --- a/taf/docker-compose-taf-mqtt-bus.yml +++ b/taf/docker-compose-taf-mqtt-bus.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -577,10 +577,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -591,7 +591,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -679,7 +679,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -762,7 +762,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -831,7 +831,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -905,7 +905,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -970,7 +970,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1053,7 +1053,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1135,7 +1135,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1211,7 +1211,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1288,7 +1288,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1369,7 +1369,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1467,7 +1467,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" ENTRYPOINT: /docker-entrypoint.sh /usr/sbin/mosquitto -v -c /mosquitto/config/mosquitto.conf PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1698,6 +1698,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1757,7 +1819,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1820,7 +1882,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1856,8 +1918,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1882,10 +1944,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1895,7 +1957,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: mqtt STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1920,7 +1982,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1935,8 +1997,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1973,7 +2035,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2041,7 +2103,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2111,7 +2173,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2166,7 +2228,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2251,7 +2313,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2330,7 +2392,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2405,69 +2467,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2503,15 +2502,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-no-secty-arm64.yml b/taf/docker-compose-taf-no-secty-arm64.yml index 16070321..e580623d 100644 --- a/taf/docker-compose-taf-no-secty-arm64.yml +++ b/taf/docker-compose-taf-no-secty-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-keeper-arm64.yml b/taf/docker-compose-taf-no-secty-keeper-arm64.yml index 7ff543dd..a9ef361c 100644 --- a/taf/docker-compose-taf-no-secty-keeper-arm64.yml +++ b/taf/docker-compose-taf-no-secty-keeper-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-keeper.yml b/taf/docker-compose-taf-no-secty-keeper.yml index 7afcbbb2..11eeda9c 100644 --- a/taf/docker-compose-taf-no-secty-keeper.yml +++ b/taf/docker-compose-taf-no-secty-keeper.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus-arm64.yml b/taf/docker-compose-taf-no-secty-mqtt-bus-arm64.yml index 29d790bd..3dd47c4d 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus-arm64.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-arm64.yml b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-arm64.yml index cb1329c5..91de91ba 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-arm64.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres-arm64.yml b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres-arm64.yml index 7a419be9..4aee3db2 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres-arm64.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres.yml b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres.yml index 5d2f76f3..3f60153c 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper-postgres.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper.yml b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper.yml index f20239c7..68b76fdf 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus-keeper.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus-keeper.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty-mqtt-bus.yml b/taf/docker-compose-taf-no-secty-mqtt-bus.yml index 645d8308..81f1203e 100644 --- a/taf/docker-compose-taf-no-secty-mqtt-bus.yml +++ b/taf/docker-compose-taf-no-secty-mqtt-bus.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-no-secty.yml b/taf/docker-compose-taf-no-secty.yml index 9cd6c9ed..36d58a5e 100644 --- a/taf/docker-compose-taf-no-secty.yml +++ b/taf/docker-compose-taf-no-secty.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: diff --git a/taf/docker-compose-taf-perf-arm64.yml b/taf/docker-compose-taf-perf-arm64.yml index 591cfd3d..d53becba 100644 --- a/taf/docker-compose-taf-perf-arm64.yml +++ b/taf/docker-compose-taf-perf-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-mqtt-export: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -129,7 +129,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -188,10 +188,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -202,7 +202,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -290,7 +290,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -368,7 +368,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -437,7 +437,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -511,7 +511,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -576,7 +576,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -655,7 +655,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -731,7 +731,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -975,6 +975,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1034,7 +1096,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1097,7 +1159,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1133,8 +1195,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1159,10 +1221,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1172,7 +1234,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1197,7 +1259,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1212,8 +1274,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1250,7 +1312,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1318,7 +1380,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1388,7 +1450,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1443,7 +1505,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1528,7 +1590,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1607,7 +1669,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1682,69 +1744,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1778,15 +1777,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf-perf-no-secty-arm64.yml b/taf/docker-compose-taf-perf-no-secty-arm64.yml index e3aeb478..6d664657 100644 --- a/taf/docker-compose-taf-perf-no-secty-arm64.yml +++ b/taf/docker-compose-taf-perf-no-secty-arm64.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-mqtt-export: diff --git a/taf/docker-compose-taf-perf-no-secty.yml b/taf/docker-compose-taf-perf-no-secty.yml index 8d778296..7b8a746a 100644 --- a/taf/docker-compose-taf-perf-no-secty.yml +++ b/taf/docker-compose-taf-perf-no-secty.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-mqtt-export: diff --git a/taf/docker-compose-taf-perf.yml b/taf/docker-compose-taf-perf.yml index 3b4addc0..c62b3f07 100644 --- a/taf/docker-compose-taf-perf.yml +++ b/taf/docker-compose-taf-perf.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-mqtt-export: @@ -52,7 +52,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -129,7 +129,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -188,10 +188,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -202,7 +202,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -290,7 +290,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -368,7 +368,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -437,7 +437,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -511,7 +511,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -576,7 +576,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -655,7 +655,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -731,7 +731,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -975,6 +975,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1034,7 +1096,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1097,7 +1159,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1133,8 +1195,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1159,10 +1221,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1172,7 +1234,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1197,7 +1259,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1212,8 +1274,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1250,7 +1312,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1318,7 +1380,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1388,7 +1450,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1443,7 +1505,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1528,7 +1590,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1607,7 +1669,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1682,69 +1744,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -1778,15 +1777,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs diff --git a/taf/docker-compose-taf.yml b/taf/docker-compose-taf.yml index 1580666c..0891ab82 100644 --- a/taf/docker-compose-taf.yml +++ b/taf/docker-compose-taf.yml @@ -24,7 +24,7 @@ # # From the compose-builder folder use `make build` to regenerate all standard compose files variations # -# Generated with: Docker Compose version v2.29.2 +# Generated with: Docker Compose version v2.29.7 name: edgex services: app-external-mqtt-trigger: @@ -55,7 +55,7 @@ services: EDGEX_PROFILE: external-mqtt-trigger EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-external-mqtt-trigger STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -133,7 +133,7 @@ services: EDGEX_PROFILE: functional-tests EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-functional-tests STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -208,7 +208,7 @@ services: EDGEX_PROFILE: http-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-http-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -284,7 +284,7 @@ services: EDGEX_PROFILE: mqtt-export EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -361,7 +361,7 @@ services: EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-rules-engine STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -438,7 +438,7 @@ services: EDGEX_PROFILE: sample EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-sample STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -514,7 +514,7 @@ services: EDGEX_SERVICE_KEY: app-scalability-test-mqtt-export MESSAGEBUS_OPTIONAL_CLIENTID: app-scalability-test-mqtt-export PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-app-scalability-test-mqtt-export STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -575,10 +575,10 @@ services: - 0.0.0.0 container_name: edgex-core-consul depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true entrypoint: @@ -589,7 +589,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -677,7 +677,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-command STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -755,7 +755,7 @@ services: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -824,7 +824,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-data STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -898,7 +898,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-metadata STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -963,7 +963,7 @@ services: DATABASECONFIG_PATH: /run/redis/conf EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1046,7 +1046,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-modbus STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1128,7 +1128,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-onvif-camera STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1204,7 +1204,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-rest STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1281,7 +1281,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-device-virtual STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1362,7 +1362,7 @@ services: MESSAGEBUS_SECRETNAME: redisdb MESSAGEBUS_TYPE: redis PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-core-keeper STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1633,6 +1633,68 @@ services: target: /edgex-init read_only: true volume: {} + secret-store: + command: + - server + container_name: edgex-secret-store + depends_on: + security-bootstrapper: + condition: service_started + required: true + deploy: + resources: + limits: + memory: "5705444622336" + entrypoint: + - /edgex-init/secretstore_wait_install.sh + environment: + BAO_ADDR: http://edgex-secret-store:8200 + BAO_CONFIG_DIR: /openbao/config + BAO_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-secret-store:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-secret-store:8201\" \n} \nbackend \"file\" {\n path = \"/openbao/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SKIP_SETCAP: "true" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_PROXYSETUP_READYPORT: "54325" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-secret-store + image: openbao/openbao:2.0 + memswap_limit: "5705444622336" + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp + restart: always + tmpfs: + - /openbao/config + user: root:root + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: secret-store-file + target: /openbao/file + volume: {} + - type: volume + source: secret-store-logs + target: /openbao/logs + volume: {} security-bootstrapper: container_name: edgex-security-bootstrapper environment: @@ -1692,7 +1754,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1755,7 +1817,7 @@ services: EDGEX_ADD_PROXY_ROUTE: device-modbus.http://edgex-device-modbus:59901 EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -1791,8 +1853,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: volume source: nginx-templates @@ -1817,10 +1879,10 @@ services: security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - security-bootstrapper: + secret-store: condition: service_started required: true - vault: + security-bootstrapper: condition: service_started required: true environment: @@ -1830,7 +1892,7 @@ services: EDGEX_SECURITY_SECRET_STORE: "true" EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SECUREMESSAGEBUS_TYPE: redis STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1855,7 +1917,7 @@ services: - no-new-privileges:true tmpfs: - /run - - /vault + - /openbao user: root:root volumes: - type: bind @@ -1870,8 +1932,8 @@ services: read_only: true volume: {} - type: volume - source: vault-config - target: /vault/config + source: secret-store-config + target: /openbao/config volume: {} - type: bind source: /tmp/edgex/secrets @@ -1908,7 +1970,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -1976,7 +2038,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2046,7 +2108,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2101,7 +2163,7 @@ services: environment: EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis @@ -2186,7 +2248,7 @@ services: DATABASE_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2265,7 +2327,7 @@ services: INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault + SECRETSTORE_HOST: edgex-secret-store SERVICE_HOST: edgex-support-scheduler STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" @@ -2340,69 +2402,6 @@ services: read_only: true bind: create_host_path: true - vault: - command: - - server - container_name: edgex-vault - depends_on: - security-bootstrapper: - condition: service_started - required: true - deploy: - resources: - limits: - memory: "4190239719424" - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - PROXY_SETUP_HOST: edgex-security-proxy-setup - SKIP_SETCAP: "true" - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: "6379" - STAGEGATE_DATABASE_READYPORT: "6379" - STAGEGATE_PROXYSETUP_READYPORT: "54325" - STAGEGATE_READY_TORUNPORT: "54329" - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: "8500" - STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_LOCAL_CONFIG: "listener \"tcp\" { \n address = \"edgex-vault:8200\" \n tls_disable = \"1\" \n cluster_address = \"edgex-vault:8201\" \n} \nbackend \"file\" {\n path = \"/vault/file\"\n}\ndefault_lease_ttl = \"168h\" \nmax_lease_ttl = \"720h\"\ndisable_mlock = true\n" - VAULT_UI: "true" - hostname: edgex-vault - image: hashicorp/vault:1.14 - memswap_limit: "4190239719424" - networks: - edgex-network: null - ports: - - mode: ingress - host_ip: 127.0.0.1 - target: 8200 - published: "8200" - protocol: tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - type: volume - source: edgex-init - target: /edgex-init - read_only: true - volume: {} - - type: volume - source: vault-file - target: /vault/file - volume: {} - - type: volume - source: vault-logs - target: /vault/logs - volume: {} networks: edgex-network: name: edgex_edgex-network @@ -2436,15 +2435,15 @@ volumes: name: edgex_nginx-tls redis-config: name: edgex_redis-config + secret-store-config: + name: edgex_secret-store-config + secret-store-file: + name: edgex_secret-store-file + secret-store-logs: + name: edgex_secret-store-logs spire-agent: name: edgex_spire-agent spire-ca: name: edgex_spire-ca spire-server: name: edgex_spire-server - vault-config: - name: edgex_vault-config - vault-file: - name: edgex_vault-file - vault-logs: - name: edgex_vault-logs