refactor!: replace vault with openbao

compose-builder/.env

@@ -60,8 +60,8 @@ WRITABLE_INSECURESECRETS_DB_SECRETDATA_USERNAME=
 WRITABLE_INSECURESECRETS_DB_SECRETDATA_PASSWORD=
 COMMON_SEC_STAGE_GATE_FILE_NAME=common-sec-stage-gate.env
 
-# Lock on Vault 1.14 (last MPL-2.0 version)
-VAULT_VERSION=1.14
+# Lock on OpenBao 2.0 (last MPL-2.0 version)
+BAO_VERSION=2.0
 # Lock on Consul 1.16 (last MPL-2.0 version)
 CONSUL_VERSION=1.16
 # Lock on Redis 7.0 until EdgeX 4.0

compose-builder/Makefile

@@ -43,7 +43,7 @@ export USERID:=$(shell id -u)
 # Set default rootful docker socket path
 export DOCKER_SOCKET_PATH=/var/run/docker.sock
 
-# Get total system memory in megabytes for vault config
+# Get total system memory in megabytes for secret store config
 export TOTAL_SYSTEM_MEMORY:=$(shell grep MemTotal /proc/meminfo | awk '{print $$2}')m
 
 BROKER_YAML=add-mqtt-broker-mosquitto.yml

compose-builder/add-secure-consul.yml

@@ -41,4 +41,4 @@ services:
       - consul-acl-token:/tmp/edgex/secrets/consul-acl-token
     depends_on:
       - security-bootstrapper
-      - vault
+      - secret-store

compose-builder/add-security-postgres.yml

@@ -18,9 +18,9 @@
 
 volumes:
   edgex-init:
-  vault-config:
-  vault-file:
-  vault-logs:
+  secret-store-config:
+  secret-store-file:
+  secret-store-logs:
 
 services:
   security-bootstrapper:
@@ -72,24 +72,24 @@ services:
       - edgex-network
     tmpfs:
       - /run
-      - /vault
+      - /openbao
     volumes:
       # use host timezone
       - /etc/localtime:/etc/localtime:ro
       - edgex-init:/edgex-init:ro
-      - vault-config:/vault/config
+      - secret-store-config:/openbao/config
       - /tmp/edgex/secrets:/tmp/edgex/secrets:z
     depends_on:
       - security-bootstrapper
-      - vault
+      - secret-store
     security_opt:
       - no-new-privileges:true
 
-  vault:
-    image: hashicorp/vault:${VAULT_VERSION}
-    user: "root:root" # Note that Vault is run under the 'vault' user, but entry point scripts need to first run as root
-    container_name: edgex-vault
-    hostname: edgex-vault
+  secret-store:
+    image: openbao/openbao:${BAO_VERSION}
+    user: "root:root" # Note that OpenBao is run under the 'openbao' user, but entry point scripts need to first run as root
+    container_name: edgex-secret-store
+    hostname: edgex-secret-store
     networks:
       - edgex-network
     ports:
@@ -100,32 +100,31 @@ services:
           memory: "${TOTAL_SYSTEM_MEMORY}"
     memswap_limit: "${TOTAL_SYSTEM_MEMORY}"
     tmpfs:
-      - /vault/config
-    entrypoint: [ "/edgex-init/vault_wait_install.sh" ]
+      - /openbao/config
+    entrypoint: [ "/edgex-init/secretstore_wait_install.sh" ]
     env_file:
       - common-sec-stage-gate-postgres.env
     command: server
     environment:
-      VAULT_ADDR: http://edgex-vault:8200
-      VAULT_CONFIG_DIR: /vault/config
-      VAULT_UI: "true"
+      BAO_ADDR: http://edgex-secret-store:8200
+      BAO_CONFIG_DIR: /openbao/config
       SKIP_SETCAP: "true"
-      VAULT_LOCAL_CONFIG: |
+      BAO_LOCAL_CONFIG: |
         listener "tcp" { 
-          address = "edgex-vault:8200" 
+          address = "edgex-secret-store:8200" 
           tls_disable = "1" 
-          cluster_address = "edgex-vault:8201" 
+          cluster_address = "edgex-secret-store:8201" 
         } 
         backend "file" {
-          path = "/vault/file"
+          path = "/openbao/file"
         }
         default_lease_ttl = "168h" 
         max_lease_ttl = "720h"
         disable_mlock = true
     volumes:
       - edgex-init:/edgex-init:ro
-      - vault-file:/vault/file
-      - vault-logs:/vault/logs
+      - secret-store-file:/openbao/file
+      - secret-store-logs:/openbao/logs
     depends_on:
       - security-bootstrapper
     restart: always

compose-builder/add-security-proxy.yml

@@ -71,7 +71,7 @@ services:
       # use host timezone
       - /etc/localtime:/etc/localtime:ro
       - edgex-init:/edgex-init:ro
-      - vault-config:/vault/config
+      - secret-store-config:/openbao/config
       - nginx-templates:/etc/nginx/templates
       - nginx-tls:/etc/ssl/nginx
       - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z

compose-builder/add-security-zero-trust.yml

@@ -86,7 +86,7 @@ services:
       CLIENTS_SUPPORT_SCHEDULER_SECURITYOPTIONS_MODE: "zerotrust"
       CLIENTS_SUPPORT_SCHEDULER_HOST: "support-scheduler.edgex.ziti"
       CLIENTS_SUPPORT_SCHEDULER_PORT: 80
-      VAULT_ADDR: http://edgex-vault:8200
+      BAO_ADDR: http://edgex-secret-store:8200
     entrypoint:
       - /edgex-init/ready_to_run_wait_install.sh
     volumes:

compose-builder/add-security.yml

@@ -15,9 +15,9 @@
 
 volumes:
   edgex-init:
-  vault-config:
-  vault-file:
-  vault-logs:
+  secret-store-config:
+  secret-store-file:
+  secret-store-logs:
   # non-shared volumes
   redis-config:
 
@@ -82,24 +82,24 @@ services:
       - edgex-network
     tmpfs:
       - /run
-      - /vault
+      - /openbao
     volumes:
       # use host timezone
       - /etc/localtime:/etc/localtime:ro
       - edgex-init:/edgex-init:ro
-      - vault-config:/vault/config
+      - secret-store-config:/openbao/config
       - /tmp/edgex/secrets:/tmp/edgex/secrets:z
     depends_on:
       - security-bootstrapper
-      - vault
+      - secret-store
     security_opt:
       - no-new-privileges:true
 
-  vault:
-    image: hashicorp/vault:${VAULT_VERSION}
-    user: "root:root" # Note that Vault is run under the 'vault' user, but entry point scripts need to first run as root
-    container_name: edgex-vault
-    hostname: edgex-vault
+  secret-store:
+    image: openbao/openbao:${BAO_VERSION}
+    user: "root:root" # Note that OpenBao is run under the 'openbao' user, but entry point scripts need to first run as root
+    container_name: edgex-secret-store
+    hostname: edgex-secret-store
     networks:
       - edgex-network
     ports:
@@ -110,32 +110,31 @@ services:
           memory: "${TOTAL_SYSTEM_MEMORY}"
     memswap_limit: "${TOTAL_SYSTEM_MEMORY}"
     tmpfs:
-      - /vault/config
-    entrypoint: [ "/edgex-init/vault_wait_install.sh" ]
+      - /openbao/config
+    entrypoint: [ "/edgex-init/secretstore_wait_install.sh" ]
     env_file:
       - common-sec-stage-gate.env
     command: server
     environment:
-      VAULT_ADDR: http://edgex-vault:8200
-      VAULT_CONFIG_DIR: /vault/config
-      VAULT_UI: "true"
+      BAO_ADDR: http://edgex-secret-store:8200
+      BAO_CONFIG_DIR: /openbao/config
       SKIP_SETCAP: "true"
-      VAULT_LOCAL_CONFIG: |
+      BAO_LOCAL_CONFIG: |
         listener "tcp" { 
-          address = "edgex-vault:8200" 
+          address = "edgex-secret-store:8200" 
           tls_disable = "1" 
-          cluster_address = "edgex-vault:8201" 
+          cluster_address = "edgex-secret-store:8201" 
         } 
         backend "file" {
-          path = "/vault/file"
+          path = "/openbao/file"
         }
         default_lease_ttl = "168h" 
         max_lease_ttl = "720h"
         disable_mlock = true
     volumes:
       - edgex-init:/edgex-init:ro
-      - vault-file:/vault/file
-      - vault-logs:/vault/logs
+      - secret-store-file:/openbao/file
+      - secret-store-logs:/openbao/logs
     depends_on:
       - security-bootstrapper
     restart: always

compose-builder/common-security.env

@@ -17,4 +17,4 @@
 #
 
 EDGEX_SECURITY_SECRET_STORE=true
-SECRETSTORE_HOST=edgex-vault
+SECRETSTORE_HOST=edgex-secret-store

compose-builder/get-api-gateway-token.sh

@@ -20,11 +20,11 @@ docker exec -ti edgex-security-proxy-setup ./secrets-config proxy deluser --user
 
 # Create new user, log in, and exchange for JWT
 password=$(docker exec -ti edgex-security-proxy-setup ./secrets-config proxy adduser --user "${username}" --useRootToken | jq -r '.password')
-vault_token=$(curl -ks "http://localhost:8200/v1/auth/userpass/login/${username}" -d "{\"password\":\"${password}\"}" | jq -r '.auth.client_token')
-id_token=$(curl -ks -H "Authorization: Bearer ${vault_token}" "http://localhost:8200/v1/identity/oidc/token/${username}" | jq -r '.data.token')
+secret_store_token=$(curl -ks "http://localhost:8200/v1/auth/userpass/login/${username}" -d "{\"password\":\"${password}\"}" | jq -r '.auth.client_token')
+id_token=$(curl -ks -H "Authorization: Bearer ${secret_store_token}" "http://localhost:8200/v1/identity/oidc/token/${username}" | jq -r '.data.token')
 
 # Check that we got sane output from the previous commands before coughing up the token
-introspect_result=$(curl -ks -H "Authorization: Bearer ${vault_token}" "http://localhost:8200/v1/identity/oidc/introspect" -d "{\"token\":\"${id_token}\"}" | jq -r '.active')
+introspect_result=$(curl -ks -H "Authorization: Bearer ${secret_store_token}" "http://localhost:8200/v1/identity/oidc/introspect" -d "{\"token\":\"${id_token}\"}" | jq -r '.active')
 if [ "${introspect_result}" = "true" ]; then
 	echo "${id_token}"
 	exit 0