From 489e95e345b5c0846d59077d8211e242c832d104 Mon Sep 17 00:00:00 2001 From: Jim Wang Date: Fri, 2 Jun 2023 10:33:16 -0700 Subject: [PATCH 1/4] feat: Update latest images tags to 3.0.0 Update docker-compose examples to use image tags 3.0.0 instead of latest Closes: #228 Signed-off-by: Jim Wang --- deployment/helm/README.md | 2 +- .../local/docker-compose.original | 1227 ----------- .../spiffe_and_ssh/local/docker-compose.yml | 1817 +++++++++-------- .../remote/docker-compose.original | 1227 ----------- .../spiffe_and_ssh/remote/docker-compose.yml | 8 +- .../remote/remote-spire-agent/Dockerfile | 8 +- 6 files changed, 1011 insertions(+), 3278 deletions(-) delete mode 100644 security/remote_devices/spiffe_and_ssh/local/docker-compose.original delete mode 100644 security/remote_devices/spiffe_and_ssh/remote/docker-compose.original diff --git a/deployment/helm/README.md b/deployment/helm/README.md index 4d6906b9..d079072b 100644 --- a/deployment/helm/README.md +++ b/deployment/helm/README.md @@ -229,7 +229,7 @@ spec: automountServiceAccountToken: false containers: - name: security-proxy-setup - image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:3.0.0 imagePullPolicy: Always command: ["/edgex-init/ready_to_run_wait_install.sh"] args: ["/edgex/secrets-config", "proxy", "adduser", "--user", "edgexuser", "--useRootToken"] diff --git a/security/remote_devices/spiffe_and_ssh/local/docker-compose.original b/security/remote_devices/spiffe_and_ssh/local/docker-compose.original deleted file mode 100644 index 4189b8ce..00000000 --- a/security/remote_devices/spiffe_and_ssh/local/docker-compose.original +++ /dev/null @@ -1,1227 +0,0 @@ -networks: - edgex-network: - driver: bridge -services: - app-service-rules: - command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-app-rules-engine - depends_on: - - consul - - data - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_PROFILE: rules-engine - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-app-rules-engine - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis - TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis - hostname: edgex-app-rules-engine - image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59701:59701/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z - command: - command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-command - depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-core-command - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-command - image: nexus3.edgexfoundry.org:10004/core-command:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59882:59882/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z - consul: - command: agent -ui -bootstrap -server -client 0.0.0.0 - container_name: edgex-core-consul - depends_on: - - security-bootstrapper - - vault - entrypoint: - - /edgex-init/consul_wait_install.sh - environment: - ADD_REGISTRY_ACL_ROLES: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json - STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-consul - image: consul:1.10.10 - networks: - edgex-network: {} - ports: - - 127.0.0.1:8500:8500/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: root:root - volumes: - - consul-config:/consul/config:z - - consul-data:/consul/data:z - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z - - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z - data: - command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-data - depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - MESSAGEQUEUE_HOST: edgex-redis - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json - SERVICE_HOST: edgex-core-data - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-data - image: nexus3.edgexfoundry.org:10004/core-data:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:5563:5563/tcp - - 127.0.0.1:59880:59880/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z - database: - container_name: edgex-redis - depends_on: - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/redis_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASECONFIG_NAME: redis.conf - DATABASECONFIG_PATH: /run/redis/conf - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-redis - image: redis:6.2.6-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:6379:6379/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - db-data:/data:z - - edgex-init:/edgex-init:ro,z - - redis-config:/run/redis/conf:z - - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z - device-virtual: - command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-device-virtual - depends_on: - - consul - - data - - metadata - - security-bootstrapper - - security-spiffe-token-provider - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - MESSAGEQUEUE_HOST: edgex-redis - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" - SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider - SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 - SECRETSTORE_RUNTIMETOKENPROVIDER_PROTOCOL: https - SECRETSTORE_RUNTIMETOKENPROVIDER_REQUIREDSECRETS: redisdb - SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org - SERVICE_HOST: edgex-device-virtual - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-device-virtual - image: nexus3.edgexfoundry.org:10004/device-virtual:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59900:59900/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z - - /tmp/edgex/secrets/spiffe/public:/tmp/edgex/secrets/spiffe/public:ro,z - kong: - container_name: edgex-kong - depends_on: - - kong-db - - security-bootstrapper - entrypoint: - - /edgex-init/kong_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - KONG_ADMIN_ACCESS_LOG: /dev/stdout - KONG_ADMIN_ERROR_LOG: /dev/stderr - KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl - KONG_DATABASE: postgres - KONG_DNS_ORDER: LAST,A,CNAME - KONG_DNS_VALID_TTL: '1' - KONG_NGINX_WORKER_PROCESSES: '1' - KONG_PG_HOST: edgex-kong-db - KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - KONG_PROXY_ACCESS_LOG: /dev/stdout - KONG_PROXY_ERROR_LOG: /dev/stderr - KONG_SSL_CIPHER_SUITE: modern - KONG_STATUS_LISTEN: 0.0.0.0:8100 - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong - image: kong:2.6.1 - networks: - edgex-network: {} - ports: - - 8000:8000/tcp - - 127.0.0.1:8100:8100/tcp - - 8443:8443/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - - /tmp - tty: true - user: kong:nogroup - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - - postgres-config:/tmp/postgres-config:z - - kong:/usr/local/kong:z - kong-db: - container_name: edgex-kong-db - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/postgres_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_SECURITY_SECRET_STORE: "true" - POSTGRES_DB: kong - POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - POSTGRES_USER: kong - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong-db - image: postgres:13.5-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:5432:5432/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /var/run - - /tmp - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - postgres-config:/tmp/postgres-config:z - - postgres-data:/var/lib/postgresql/data:z - metadata: - command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-metadata - depends_on: - - consul - - database - - notifications - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - NOTIFICATIONS_SENDER: edgex-core-metadata - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-core-metadata - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-metadata - image: nexus3.edgexfoundry.org:10004/core-metadata:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59881:59881/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z - notifications: - command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-notifications - depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-notifications - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-notifications - image: nexus3.edgexfoundry.org:10004/support-notifications:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59860:59860/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z - proxy-setup: - container_name: edgex-security-proxy-setup - depends_on: - - kong - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/proxy_setup_wait_install.sh - environment: - ADD_PROXY_ROUTE: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_SECURITY_SECRET_STORE: "true" - KONGURL_SERVER: edgex-kong - PROXY_SETUP_HOST: edgex-security-proxy-setup - ROUTES_CORE_COMMAND_HOST: edgex-core-command - ROUTES_CORE_CONSUL_HOST: edgex-core-consul - ROUTES_CORE_DATA_HOST: edgex-core-data - ROUTES_CORE_METADATA_HOST: edgex-core-metadata - ROUTES_DEVICE_VIRTUAL_HOST: device-virtual - ROUTES_RULES_ENGINE_HOST: edgex-kuiper - ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-proxy-setup - image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest - networks: - edgex-network: {} - read_only: true - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - rulesengine: - container_name: edgex-kuiper - depends_on: - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/kuiper_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CONNECTION__EDGEX__REDISMSGBUS__PORT: 6379 - CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis - CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis - CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis - EDGEX__DEFAULT__PORT: 6379 - EDGEX__DEFAULT__PROTOCOL: redis - EDGEX__DEFAULT__SERVER: edgex-redis - EDGEX__DEFAULT__TOPIC: rules-events - EDGEX__DEFAULT__TYPE: redis - KUIPER__BASIC__CONSOLELOG: "true" - KUIPER__BASIC__RESTPORT: 59720 - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kuiper - image: lfedge/ekuiper:1.4.4-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:59720:59720/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: kuiper:kuiper - volumes: - - edgex-init:/edgex-init:ro,z - - kuiper-data:/kuiper/data:z - - kuiper-connections:/kuiper/etc/connections:z - - kuiper-sources:/kuiper/etc/sources:z - scheduler: - command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-scheduler - depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data - INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-scheduler - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-scheduler - image: nexus3.edgexfoundry.org:10004/support-scheduler:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59861:59861/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z - secretstore-setup: - container_name: edgex-security-secretstore-setup - depends_on: - - security-bootstrapper - - vault - environment: - ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-virtual] - ADD_SECRETSTORE_TOKENS: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECUREMESSAGEBUS_TYPE: redis - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-secretstore-setup - image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - - /vault - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets:/tmp/edgex/secrets:z - - kong:/tmp/kong:z - - kuiper-sources:/tmp/kuiper:z - - kuiper-connections:/tmp/kuiper-connections:z - - vault-config:/vault/config:z - security-bootstrapper: - container_name: edgex-security-bootstrapper - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-bootstrapper - image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: root:root - volumes: - - edgex-init:/edgex-init:z - security-spiffe-token-provider: - command: /security-spiffe-token-provider -cp=consul.http://edgex-core-consul:8500 - --registry --confdir=/res - container_name: edgex-security-spiffe-token-provider - depends_on: - - consul - - security-bootstrapper - - security-spire-agent - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-security-spiffe-token-provider - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spiffe-token-provider - image: nexus3.edgexfoundry.org:10004/security-spiffe-token-provider:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59841:59841/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/security-spiffe-token-provider:/tmp/edgex/secrets/security-spiffe-token-provider:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - security-spire-agent: - command: docker-entrypoint.sh - container_name: edgex-security-spire-agent - depends_on: - - security-spire-server - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-agent - image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest - networks: - edgex-network: {} - pid: host - privileged: true - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - spire-agent:/srv/spiffe/agent:z - - spire-ca:/srv/spiffe/ca:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - - /var/run/docker.sock:/var/run/docker.sock:rw - security-spire-config: - command: docker-entrypoint.sh - container_name: edgex-security-spire-config - depends_on: - - security-spire-agent - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-config - image: nexus3.edgexfoundry.org:10004/security-spire-config:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - security-spire-server: - command: docker-entrypoint.sh - container_name: edgex-security-spire-server - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-server - image: nexus3.edgexfoundry.org:10004/security-spire-server:latest - networks: - edgex-network: {} - pid: host - ports: - - 127.0.0.1:59840:59840/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - spire-ca:/srv/spiffe/ca:z - - spire-server:/srv/spiffe/server:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - system: - command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-sys-mgmt-agent - depends_on: - - command - - consul - - data - - metadata - - notifications - - scheduler - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - EXECUTORPATH: /sys-mgmt-executor - METRICSMECHANISM: executor - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-sys-mgmt-agent - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-sys-mgmt-agent - image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:58890:58890/tcp - read_only: true - restart: always - security_opt: - - label:disable - - no-new-privileges:true - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z - - /var/run/docker.sock:/var/run/docker.sock:z - ui: - container_name: edgex-ui-go - environment: - EDGEX_SECURITY_SECRET_STORE: "true" - hostname: edgex-ui-go - image: nexus3.edgexfoundry.org:10004/edgex-ui:latest - networks: - edgex-network: {} - ports: - - 4000:4000/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - vault: - cap_add: - - IPC_LOCK - command: server - container_name: edgex-vault - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_UI: "true" - hostname: edgex-vault - image: vault:1.8.9 - networks: - edgex-network: {} - ports: - - 127.0.0.1:8200:8200/tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - vault-file:/vault/file:z - - vault-logs:/vault/logs:z -version: '3.7' -volumes: - consul-acl-token: {} - consul-config: {} - consul-data: {} - db-data: {} - edgex-init: {} - kong: {} - kuiper-connections: {} - kuiper-data: {} - kuiper-sources: {} - postgres-config: {} - postgres-data: {} - redis-config: {} - spire-agent: {} - spire-ca: {} - spire-server: {} - vault-config: {} - vault-file: {} - vault-logs: {} - diff --git a/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml index f6891915..bc6a934f 100644 --- a/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml +++ b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml @@ -1,288 +1,442 @@ -networks: - edgex-network: - driver: bridge +# * Copyright 2023 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# *******************************************************************************/ + +name: edgex services: - app-service-rules: - command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res + app-rules-engine: + command: + - /app-service-configurable + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-app-rules-engine depends_on: - - consul - - data - - security-bootstrapper + consul: + condition: service_started + core-data: + condition: service_started + security-bootstrapper: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_PROFILE: rules-engine EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' SERVICE_HOST: edgex-app-rules-engine - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis - TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis hostname: edgex-app-rules-engine - image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest + image: nexus3.edgexfoundry.org:10004/app-service-configurable:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:59701:59701/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59701 + published: "59701" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true user: 2002:2001 volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z - command: - command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/app-rules-engine + target: /tmp/edgex/secrets/app-rules-engine + read_only: true + bind: + selinux: z + create_host_path: true + consul: + command: + - agent + - -ui + - -bootstrap + - -server + - -client + - 0.0.0.0 + container_name: edgex-core-consul + depends_on: + security-bootstrapper: + condition: service_started + vault: + condition: service_started + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + EDGEX_ADD_REGISTRY_ACL_ROLES: "" + EDGEX_GROUP: "2001" + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: "2002" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_MANAGEMENTTOKENPATH: /tmp/edgex/secrets/consul-acl-token/mgmt_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: hashicorp/consul:1.15.2 + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 8500 + published: "8500" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - type: volume + source: consul-config + target: /consul/config + volume: {} + - type: volume + source: consul-data + target: /consul/data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + volume: {} + - type: bind + source: /tmp/edgex/secrets/edgex-consul + target: /tmp/edgex/secrets/edgex-consul + read_only: true + bind: + selinux: z + create_host_path: true + core-command: + command: + - /core-command + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-command depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper + consul: + condition: service_started + core-metadata: + condition: service_started + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" + EXTERNALMQTT_URL: tcp://edgex-mqtt-broker:1883 PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' SERVICE_HOST: edgex-core-command - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-core-command - image: nexus3.edgexfoundry.org:10004/core-command:latest + image: nexus3.edgexfoundry.org:10004/core-command:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:59882:59882/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59882 + published: "59882" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true user: 2002:2001 volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z - consul: - command: agent -ui -bootstrap -server -client 0.0.0.0 - container_name: edgex-core-consul + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-command + target: /tmp/edgex/secrets/core-command + read_only: true + bind: + selinux: z + create_host_path: true + core-common-config-bootstrapper: + command: + - /entrypoint.sh + - /core-common-config-bootstrapper + - -cp=consul.http://edgex-core-consul:8500 + container_name: edgex-core-common-config-bootstrapper depends_on: - - security-bootstrapper - - vault + consul: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - - /edgex-init/consul_wait_install.sh + - /edgex-init/ready_to_run_wait_install.sh environment: - ADD_REGISTRY_ACL_ROLES: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' + ALL_SERVICES_DATABASE_HOST: edgex-redis + ALL_SERVICES_MESSAGEBUS_HOST: edgex-redis + ALL_SERVICES_REGISTRY_HOST: edgex-core-consul + APP_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST: edgex-core-metadata EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json - STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-consul - image: consul:1.10.10 + hostname: edgex-core-common-config-bootstrapper + image: nexus3.edgexfoundry.org:10004/core-common-config-bootstrapper:3.0.0 networks: - edgex-network: {} - ports: - - 127.0.0.1:8500:8500/tcp + edgex-network: null read_only: true - restart: always security_opt: - no-new-privileges:true - user: root:root + user: 2002:2001 volumes: - - consul-config:/consul/config:z - - consul-data:/consul/data:z - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z - - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z - data: - command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-common-config-bootstrapper + target: /tmp/edgex/secrets/core-common-config-bootstrapper + read_only: true + bind: + selinux: z + create_host_path: true + core-data: + command: + - /core-data + - -cp=consul.http://edgex-core-consul:8500 + - --registry container_name: edgex-core-data depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper + consul: + condition: service_started + core-metadata: + condition: service_started + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" - MESSAGEQUEUE_HOST: edgex-redis PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json SERVICE_HOST: edgex-core-data - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-core-data - image: nexus3.edgexfoundry.org:10004/core-data:latest + image: nexus3.edgexfoundry.org:10004/core-data:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:5563:5563/tcp - - 127.0.0.1:59880:59880/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59880 + published: "59880" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true user: 2002:2001 volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-data + target: /tmp/edgex/secrets/core-data + read_only: true + bind: + selinux: z + create_host_path: true + core-metadata: + command: + - /core-metadata + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-core-metadata + depends_on: + consul: + condition: service_started + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SERVICE_HOST: edgex-core-metadata + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata:3.0.0 + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 59881 + published: "59881" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/core-metadata + target: /tmp/edgex/secrets/core-metadata + read_only: true + bind: + selinux: z + create_host_path: true database: container_name: edgex-redis depends_on: - - secretstore-setup - - security-bootstrapper + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - /edgex-init/redis_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler DATABASECONFIG_NAME: redis.conf DATABASECONFIG_PATH: /run/redis/conf - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-redis - image: redis:6.2.6-alpine + image: redis:7.0.11-alpine networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:6379:6379/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 6379 + published: "6379" + protocol: tcp read_only: true restart: always security_opt: @@ -291,328 +445,348 @@ services: - /run user: root:root volumes: - - db-data:/data:z - - edgex-init:/edgex-init:ro,z - - redis-config:/run/redis/conf:z - - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z + - type: volume + source: db-data + target: /data + volume: {} + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: redis-config + target: /run/redis/conf + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-bootstrapper-redis + target: /tmp/edgex/secrets/security-bootstrapper-redis + read_only: true + bind: + selinux: z + create_host_path: true ### =============== ### BEGIN REMOVED CONTENT ### =============== # device-virtual: - # command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + # command: + # - /device-virtual + # - -cp=consul.http://edgex-core-consul:8500 + # - --registry # container_name: edgex-device-virtual # depends_on: - # - consul - # - data - # - metadata - # - security-bootstrapper - # - security-spiffe-token-provider + # consul: + # condition: service_started + # core-data: + # condition: service_started + # core-metadata: + # condition: service_started + # security-bootstrapper: + # condition: service_started + # security-spiffe-token-provider: + # condition: service_started # entrypoint: # - /edgex-init/ready_to_run_wait_install.sh # environment: - # API_GATEWAY_HOST: edgex-kong - # API_GATEWAY_STATUS_PORT: '8100' - # CLIENTS_CORE_COMMAND_HOST: edgex-core-command - # CLIENTS_CORE_DATA_HOST: edgex-core-data - # CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - # CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - # CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - # DATABASES_PRIMARY_HOST: edgex-redis # EDGEX_SECURITY_SECRET_STORE: "true" - # MESSAGEQUEUE_HOST: edgex-redis # PROXY_SETUP_HOST: edgex-security-proxy-setup - # REGISTRY_HOST: edgex-core-consul # SECRETSTORE_HOST: edgex-vault - # SECRETSTORE_PORT: '8200' # SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" - # SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock # SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider - # SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 - # SECRETSTORE_RUNTIMETOKENPROVIDER_PROTOCOL: https - # SECRETSTORE_RUNTIMETOKENPROVIDER_REQUIREDSECRETS: redisdb - # SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org # SERVICE_HOST: edgex-device-virtual - # SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - # SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - # SPIFFE_TRUSTDOMAIN: edgexfoundry.org # STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - # STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + # STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" # STAGEGATE_DATABASE_HOST: edgex-redis - # STAGEGATE_DATABASE_PORT: '6379' - # STAGEGATE_DATABASE_READYPORT: '6379' - # STAGEGATE_KONGDB_HOST: edgex-kong-db - # STAGEGATE_KONGDB_PORT: '5432' - # STAGEGATE_KONGDB_READYPORT: '54325' - # STAGEGATE_READY_TORUNPORT: '54329' + # STAGEGATE_DATABASE_PORT: "6379" + # STAGEGATE_DATABASE_READYPORT: "6379" + # STAGEGATE_READY_TORUNPORT: "54329" # STAGEGATE_REGISTRY_HOST: edgex-core-consul - # STAGEGATE_REGISTRY_PORT: '8500' - # STAGEGATE_REGISTRY_READYPORT: '54324' + # STAGEGATE_REGISTRY_PORT: "8500" + # STAGEGATE_REGISTRY_READYPORT: "54324" # STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - # STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + # STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" # STAGEGATE_WAITFOR_TIMEOUT: 60s # hostname: edgex-device-virtual - # image: nexus3.edgexfoundry.org:10004/device-virtual:latest + # image: nexus3.edgexfoundry.org:10004/device-virtual:3.0.0 # networks: - # edgex-network: {} + # edgex-network: null # ports: - # - 127.0.0.1:59900:59900/tcp + # - mode: ingress + # host_ip: 127.0.0.1 + # target: 59900 + # published: "59900" + # protocol: tcp # read_only: true # restart: always # security_opt: # - no-new-privileges:true # user: 2002:2001 # volumes: - # - edgex-init:/edgex-init:ro,z - # - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z - # - /tmp/edgex/secrets/spiffe/public:/tmp/edgex/secrets/spiffe/public:ro,z + # - type: volume + # source: edgex-init + # target: /edgex-init + # read_only: true + # volume: {} + # - type: bind + # source: /tmp/edgex/secrets/device-virtual + # target: /tmp/edgex/secrets/device-virtual + # read_only: true + # bind: + # selinux: z + # create_host_path: true + # - type: bind + # source: /tmp/edgex/secrets/spiffe/public + # target: /tmp/edgex/secrets/spiffe/public + # read_only: true + # bind: + # selinux: z + # create_host_path: true ### =============== ### END REMOVED CONTENT ### =============== - kong: - container_name: edgex-kong + nginx: + command: + - /docker-entrypoint.sh + - nginx + - -g + - daemon off; + container_name: edgex-nginx depends_on: - - kong-db - - security-bootstrapper + security-secretstore-setup: + condition: service_started entrypoint: - - /edgex-init/kong_wait_install.sh + - /bin/sh + - /edgex-init/nginx_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - KONG_ADMIN_ACCESS_LOG: /dev/stdout - KONG_ADMIN_ERROR_LOG: /dev/stderr - KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl - KONG_DATABASE: postgres - KONG_DNS_ORDER: LAST,A,CNAME - KONG_DNS_VALID_TTL: '1' - KONG_NGINX_WORKER_PROCESSES: '1' - KONG_PG_HOST: edgex-kong-db - KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - KONG_PROXY_ACCESS_LOG: /dev/stdout - KONG_PROXY_ERROR_LOG: /dev/stderr - KONG_SSL_CIPHER_SUITE: modern - KONG_STATUS_LISTEN: 0.0.0.0:8100 PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong - image: kong:2.6.1 + hostname: edgex-nginx + image: nginx:1.24.0-alpine-slim networks: - edgex-network: {} + edgex-network: + aliases: + - edgex-kong ports: - - 8000:8000/tcp - - 127.0.0.1:8100:8100/tcp - - 8443:8443/tcp + - mode: ingress + target: 8443 + published: "8443" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true tmpfs: - - /run - - /tmp - tty: true - user: kong:nogroup + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/log/nginx + - /var/run volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - - postgres-config:/tmp/postgres-config:z - - kong:/usr/local/kong:z - kong-db: - container_name: edgex-kong-db + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + rules-engine: + container_name: edgex-kuiper depends_on: - - security-bootstrapper + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - - /edgex-init/postgres_wait_install.sh + - /edgex-init/kuiper_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_SECURITY_SECRET_STORE: "true" - POSTGRES_DB: kong - POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - POSTGRES_USER: kong + CONNECTION__EDGEX__REDISMSGBUS__PORT: "6379" + CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis + CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis + CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis + EDGEX__DEFAULT__PORT: "6379" + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: edgex/rules-events + EDGEX__DEFAULT__TYPE: redis + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__RESTPORT: "59720" PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong-db - image: postgres:13.5-alpine + hostname: edgex-kuiper + image: lfedge/ekuiper:1.9.2-alpine networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:5432:5432/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59720 + published: "59720" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true - tmpfs: - - /var/run - - /tmp - - /run - user: root:root + user: kuiper:kuiper volumes: - - edgex-init:/edgex-init:ro,z - - postgres-config:/tmp/postgres-config:z - - postgres-data:/var/lib/postgresql/data:z - metadata: - command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-metadata - depends_on: - - consul - - database - - notifications - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: kuiper-data + target: /kuiper/data + volume: {} + - type: volume + source: kuiper-etc + target: /kuiper/etc + volume: {} + - type: volume + source: kuiper-connections + target: /kuiper/etc/connections + volume: {} + - type: volume + source: kuiper-sources + target: /kuiper/etc/sources + volume: {} + - type: volume + source: kuiper-log + target: /kuiper/log + volume: {} + - type: volume + source: kuiper-plugins + target: /kuiper/plugins + volume: {} + security-bootstrapper: + container_name: edgex-security-bootstrapper environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - NOTIFICATIONS_SENDER: edgex-core-metadata + EDGEX_GROUP: "2001" + EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-core-metadata - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-metadata - image: nexus3.edgexfoundry.org:10004/core-metadata:latest + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper:3.0.0 networks: - edgex-network: {} - ports: - - 127.0.0.1:59881:59881/tcp + edgex-network: null read_only: true restart: always security_opt: - no-new-privileges:true - user: 2002:2001 + user: root:root volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z - notifications: - command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-notifications + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + security-proxy-auth: + command: + - entrypoint.sh + - /security-proxy-auth + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-proxy-auth depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper + security-secretstore-setup: + condition: service_started entrypoint: + - /bin/sh - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-notifications - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org + SERVICE_HOST: edgex-proxy-auth STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-notifications - image: nexus3.edgexfoundry.org:10004/support-notifications:latest + hostname: edgex-proxy-auth + image: nexus3.edgexfoundry.org:10004/security-proxy-auth:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:59860:59860/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59842 + published: "59842" + protocol: tcp read_only: true restart: always security_opt: - no-new-privileges:true - user: 2002:2001 volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z - proxy-setup: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-auth + target: /tmp/edgex/secrets/security-proxy-auth + read_only: true + bind: + selinux: z + create_host_path: true + security-proxy-setup: container_name: edgex-security-proxy-setup depends_on: - - kong - - secretstore-setup - - security-bootstrapper + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started entrypoint: - /edgex-init/proxy_setup_wait_install.sh environment: - ADD_PROXY_ROUTE: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' + EDGEX_ADD_PROXY_ROUTE: "" EDGEX_SECURITY_SECRET_STORE: "true" - KONGURL_SERVER: edgex-kong PROXY_SETUP_HOST: edgex-security-proxy-setup ROUTES_CORE_COMMAND_HOST: edgex-core-command ROUTES_CORE_CONSUL_HOST: edgex-core-consul @@ -624,190 +798,88 @@ services: ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-proxy-setup - image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:3.0.0 networks: - edgex-network: {} + edgex-network: null read_only: true security_opt: - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - rulesengine: - container_name: edgex-kuiper - depends_on: - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/kuiper_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CONNECTION__EDGEX__REDISMSGBUS__PORT: 6379 - CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis - CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis - CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis - EDGEX__DEFAULT__PORT: 6379 - EDGEX__DEFAULT__PROTOCOL: redis - EDGEX__DEFAULT__SERVER: edgex-redis - EDGEX__DEFAULT__TOPIC: rules-events - EDGEX__DEFAULT__TYPE: redis - KUIPER__BASIC__CONSOLELOG: "true" - KUIPER__BASIC__RESTPORT: 59720 - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kuiper - image: lfedge/ekuiper:1.4.4-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:59720:59720/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: kuiper:kuiper - volumes: - - edgex-init:/edgex-init:ro,z - - kuiper-data:/kuiper/data:z - - kuiper-connections:/kuiper/etc/connections:z - - kuiper-sources:/kuiper/etc/sources:z - scheduler: - command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-scheduler - depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data - INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-scheduler - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-scheduler - image: nexus3.edgexfoundry.org:10004/support-scheduler:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59861:59861/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 + user: root:root volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z - secretstore-setup: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} + - type: volume + source: nginx-templates + target: /etc/nginx/templates + volume: {} + - type: volume + source: nginx-tls + target: /etc/ssl/nginx + volume: {} + - type: bind + source: /tmp/edgex/secrets/security-proxy-setup + target: /tmp/edgex/secrets/security-proxy-setup + read_only: true + bind: + selinux: z + create_host_path: true + - type: volume + source: consul-acl-token + target: /tmp/edgex/secrets/consul-acl-token + read_only: true + volume: {} + security-secretstore-setup: container_name: edgex-security-secretstore-setup depends_on: - - security-bootstrapper - - vault + security-bootstrapper: + condition: service_started + vault: + condition: service_started environment: - ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-virtual] - ADD_SECRETSTORE_TOKENS: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' + EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-virtual],message-bus[device-virtual] + EDGEX_ADD_SECRETSTORE_TOKENS: "" + EDGEX_GROUP: "2001" EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' + EDGEX_USER: "2002" PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' SECUREMESSAGEBUS_TYPE: redis - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-secretstore-setup - image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:3.0.0 networks: - edgex-network: {} + edgex-network: null read_only: true restart: always security_opt: @@ -817,95 +889,70 @@ services: - /vault user: root:root volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets:/tmp/edgex/secrets:z - - kong:/tmp/kong:z - - kuiper-sources:/tmp/kuiper:z - - kuiper-connections:/tmp/kuiper-connections:z - - vault-config:/vault/config:z - security-bootstrapper: - container_name: edgex-security-bootstrapper - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-bootstrapper - image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: root:root - volumes: - - edgex-init:/edgex-init:z + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets + target: /tmp/edgex/secrets + bind: + selinux: z + create_host_path: true + - type: volume + source: kuiper-sources + target: /tmp/kuiper + volume: {} + - type: volume + source: kuiper-connections + target: /tmp/kuiper-connections + volume: {} + - type: volume + source: vault-config + target: /vault/config + volume: {} security-spiffe-token-provider: - command: /security-spiffe-token-provider -cp=consul.http://edgex-core-consul:8500 - --registry --confdir=/res + command: + - /security-spiffe-token-provider + - -cp=consul.http://edgex-core-consul:8500 container_name: edgex-security-spiffe-token-provider depends_on: - - consul - - security-bootstrapper - - security-spire-agent + consul: + condition: service_started + security-bootstrapper: + condition: service_started + security-spire-agent: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' SERVICE_HOST: edgex-security-spiffe-token-provider - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-spiffe-token-provider - image: nexus3.edgexfoundry.org:10004/security-spiffe-token-provider:latest + image: nexus3.edgexfoundry.org:10004/security-spiffe-token-provider:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:59841:59841/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59841 + published: "59841" + protocol: tcp read_only: true restart: always security_opt: @@ -914,52 +961,51 @@ services: - /run user: root:root volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/security-spiffe-token-provider:/tmp/edgex/secrets/security-spiffe-token-provider:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe + target: /tmp/edgex/secrets/spiffe + bind: + selinux: z + create_host_path: true + - type: bind + source: /tmp/edgex/secrets/security-spiffe-token-provider + target: /tmp/edgex/secrets/security-spiffe-token-provider + bind: + selinux: z + create_host_path: true security-spire-agent: - command: docker-entrypoint.sh + command: + - docker-entrypoint.sh container_name: edgex-security-spire-agent depends_on: - - security-spire-server + security-spire-server: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-spire-agent - image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest + image: nexus3.edgexfoundry.org:10004/security-spire-agent:3.0.0 networks: - edgex-network: {} + edgex-network: null pid: host privileged: true read_only: true @@ -970,54 +1016,58 @@ services: - /run user: root:root volumes: - - edgex-init:/edgex-init:z - - spire-agent:/srv/spiffe/agent:z - - spire-ca:/srv/spiffe/ca:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - - /var/run/docker.sock:/var/run/docker.sock:rw + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: volume + source: spire-ca + target: /srv/spiffe/ca + volume: {} + - type: volume + source: spire-agent + target: /srv/spiffe/agent + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe + target: /tmp/edgex/secrets/spiffe + bind: + selinux: z + create_host_path: true + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + bind: + create_host_path: true security-spire-config: - command: docker-entrypoint.sh + command: + - docker-entrypoint.sh container_name: edgex-security-spire-config depends_on: - - security-spire-agent + security-spire-agent: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-spire-config - image: nexus3.edgexfoundry.org:10004/security-spire-config:latest + image: nexus3.edgexfoundry.org:10004/security-spire-config:3.0.0 networks: - edgex-network: {} + edgex-network: null read_only: true restart: always security_opt: @@ -1026,54 +1076,52 @@ services: - /run user: root:root volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe + target: /tmp/edgex/secrets/spiffe + bind: + selinux: z + create_host_path: true security-spire-server: - command: docker-entrypoint.sh + command: + - docker-entrypoint.sh container_name: edgex-security-spire-server depends_on: - - security-bootstrapper + security-bootstrapper: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-security-spire-server - image: nexus3.edgexfoundry.org:10004/security-spire-server:latest + image: nexus3.edgexfoundry.org:10004/security-spire-server:3.0.0 networks: - edgex-network: {} + edgex-network: null pid: host ports: - - 127.0.0.1:59840:59840/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59840 + published: "59840" + protocol: tcp read_only: true restart: always security_opt: @@ -1082,84 +1130,186 @@ services: - /run user: root:root volumes: - - edgex-init:/edgex-init:z - - spire-ca:/srv/spiffe/ca:z - - spire-server:/srv/spiffe/server:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - system: - command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-sys-mgmt-agent + - type: volume + source: edgex-init + target: /edgex-init + volume: {} + - type: volume + source: spire-ca + target: /srv/spiffe/ca + volume: {} + - type: volume + source: spire-server + target: /srv/spiffe/server + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe + target: /tmp/edgex/secrets/spiffe + bind: + selinux: z + create_host_path: true + support-notifications: + command: + - /support-notifications + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-support-notifications depends_on: - - command - - consul - - data - - metadata - - notifications - - scheduler - - security-bootstrapper + consul: + condition: service_started + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started + security-spiffe-token-provider: + condition: service_started entrypoint: - /edgex-init/ready_to_run_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis EDGEX_SECURITY_SECRET_STORE: "true" - EXECUTORPATH: /sys-mgmt-executor - METRICSMECHANISM: executor PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-sys-mgmt-agent - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org + SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" + SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider + SERVICE_HOST: edgex-support-notifications STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-sys-mgmt-agent - image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:58890:58890/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 59860 + published: "59860" + protocol: tcp read_only: true restart: always security_opt: - - label:disable - no-new-privileges:true - user: root:root + user: 2002:2001 volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z - - /var/run/docker.sock:/var/run/docker.sock:z + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe/public + target: /tmp/edgex/secrets/spiffe/public + read_only: true + bind: + selinux: z + create_host_path: true + - type: bind + source: /tmp/edgex/secrets/support-notifications + target: /tmp/edgex/secrets/support-notifications + read_only: true + bind: + selinux: z + create_host_path: true + support-scheduler: + command: + - /support-scheduler + - -cp=consul.http://edgex-core-consul:8500 + - --registry + container_name: edgex-support-scheduler + depends_on: + consul: + condition: service_started + database: + condition: service_started + security-bootstrapper: + condition: service_started + security-secretstore-setup: + condition: service_started + security-spiffe-token-provider: + condition: service_started + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" + SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider + SERVICE_HOST: edgex-support-scheduler + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler:3.0.0 + networks: + edgex-network: null + ports: + - mode: ingress + host_ip: 127.0.0.1 + target: 59861 + published: "59861" + protocol: tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: bind + source: /tmp/edgex/secrets/spiffe/public + target: /tmp/edgex/secrets/spiffe/public + read_only: true + bind: + selinux: z + create_host_path: true + - type: bind + source: /tmp/edgex/secrets/support-scheduler + target: /tmp/edgex/secrets/support-scheduler + read_only: true + bind: + selinux: z + create_host_path: true ui: container_name: edgex-ui-go environment: EDGEX_SECURITY_SECRET_STORE: "true" + SERVICE_HOST: edgex-ui-go hostname: edgex-ui-go - image: nexus3.edgexfoundry.org:10004/edgex-ui:latest + image: nexus3.edgexfoundry.org:10004/edgex-ui:3.0.0 networks: - edgex-network: {} + edgex-network: null ports: - - 4000:4000/tcp + - mode: ingress + target: 4000 + published: "4000" + protocol: tcp read_only: true restart: always security_opt: @@ -1168,48 +1318,59 @@ services: vault: cap_add: - IPC_LOCK - command: server + command: + - server container_name: edgex-vault depends_on: - - security-bootstrapper + security-bootstrapper: + condition: service_started entrypoint: - /edgex-init/vault_wait_install.sh environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' PROXY_SETUP_HOST: edgex-security-proxy-setup STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_DATABASE_PORT: "6379" + STAGEGATE_DATABASE_READYPORT: "6379" + STAGEGATE_READY_TORUNPORT: "54329" STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_REGISTRY_PORT: "8500" + STAGEGATE_REGISTRY_READYPORT: "54324" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" STAGEGATE_WAITFOR_TIMEOUT: 60s VAULT_ADDR: http://edgex-vault:8200 VAULT_CONFIG_DIR: /vault/config VAULT_UI: "true" hostname: edgex-vault - image: vault:1.8.9 + image: hashicorp/vault:1.13.2 networks: - edgex-network: {} + edgex-network: null ports: - - 127.0.0.1:8200:8200/tcp + - mode: ingress + host_ip: 127.0.0.1 + target: 8200 + published: "8200" + protocol: tcp restart: always tmpfs: - /vault/config user: root:root volumes: - - edgex-init:/edgex-init:ro,z - - vault-file:/vault/file:z - - vault-logs:/vault/logs:z + - type: volume + source: edgex-init + target: /edgex-init + read_only: true + volume: {} + - type: volume + source: vault-file + target: /vault/file + volume: {} + - type: volume + source: vault-logs + target: /vault/logs + volume: {} ### ================= ### BEGIN NEW CONTENT ### ================= @@ -1231,6 +1392,8 @@ services: REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault SECRETSTORE_PORT: '8200' + SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" + SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_READY_TORUNPORT: '54329' STAGEGATE_WAITFOR_TIMEOUT: '60s' @@ -1239,12 +1402,11 @@ services: SERVICE_PORT: 59900 TUNNEL_HOST: 192.168.122.193 TUNNEL_SSH_PORT: 2223 - SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 SECURITY_SPIRE_SERVER_HOST: edgex-security-spire-server SECURITY_SPIRE_SERVER_PORT: 59840 hostname: edgex-device-ssh-proxy - image: device-ssh-proxy:latest + image: device-ssh-proxy:3.0.0 networks: edgex-network: aliases: @@ -1266,31 +1428,56 @@ services: ### =============== ### END NEW CONTENT ### =============== -version: '3.7' +networks: + edgex-network: + name: edgex_edgex-network + driver: bridge volumes: - consul-acl-token: {} - consul-config: {} - consul-data: {} - db-data: {} - edgex-init: {} - kong: {} - kuiper-connections: {} - kuiper-data: {} - kuiper-sources: {} - postgres-config: {} - postgres-data: {} - redis-config: {} - spire-agent: {} + consul-acl-token: + name: edgex_consul-acl-token + consul-config: + name: edgex_consul-config + consul-data: + name: edgex_consul-data + db-data: + name: edgex_db-data + edgex-init: + name: edgex_edgex-init + kuiper-connections: + name: edgex_kuiper-connections + kuiper-data: + name: edgex_kuiper-data + kuiper-etc: + name: edgex_kuiper-etc + kuiper-log: + name: edgex_kuiper-log + kuiper-plugins: + name: edgex_kuiper-plugins + kuiper-sources: + name: edgex_kuiper-sources + nginx-templates: + name: edgex_nginx-templates + nginx-tls: + name: edgex_nginx-tls + redis-config: + name: edgex_redis-config + spire-agent: + name: edgex_spire-agent ### =============== ### BEGIN NEW CONTENT ### =============== - spire-remote-agent: {} + spire-remote-agent: + name: edgex_spire-remote-agent ### =============== ### END NEW CONTENT ### =============== - spire-ca: {} - spire-server: {} - vault-config: {} - vault-file: {} - vault-logs: {} - + spire-ca: + name: edgex_spire-ca + spire-server: + name: edgex_spire-server + vault-config: + name: edgex_vault-config + vault-file: + name: edgex_vault-file + vault-logs: + name: edgex_vault-logs diff --git a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.original b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.original deleted file mode 100644 index 4189b8ce..00000000 --- a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.original +++ /dev/null @@ -1,1227 +0,0 @@ -networks: - edgex-network: - driver: bridge -services: - app-service-rules: - command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-app-rules-engine - depends_on: - - consul - - data - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_PROFILE: rules-engine - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-app-rules-engine - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis - TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis - hostname: edgex-app-rules-engine - image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59701:59701/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z - command: - command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-command - depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-core-command - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-command - image: nexus3.edgexfoundry.org:10004/core-command:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59882:59882/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z - consul: - command: agent -ui -bootstrap -server -client 0.0.0.0 - container_name: edgex-core-consul - depends_on: - - security-bootstrapper - - vault - entrypoint: - - /edgex-init/consul_wait_install.sh - environment: - ADD_REGISTRY_ACL_ROLES: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json - STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-consul - image: consul:1.10.10 - networks: - edgex-network: {} - ports: - - 127.0.0.1:8500:8500/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: root:root - volumes: - - consul-config:/consul/config:z - - consul-data:/consul/data:z - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z - - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z - data: - command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-data - depends_on: - - consul - - database - - metadata - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - MESSAGEQUEUE_HOST: edgex-redis - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json - SERVICE_HOST: edgex-core-data - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-data - image: nexus3.edgexfoundry.org:10004/core-data:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:5563:5563/tcp - - 127.0.0.1:59880:59880/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z - database: - container_name: edgex-redis - depends_on: - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/redis_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASECONFIG_NAME: redis.conf - DATABASECONFIG_PATH: /run/redis/conf - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-redis - image: redis:6.2.6-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:6379:6379/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - db-data:/data:z - - edgex-init:/edgex-init:ro,z - - redis-config:/run/redis/conf:z - - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z - device-virtual: - command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-device-virtual - depends_on: - - consul - - data - - metadata - - security-bootstrapper - - security-spiffe-token-provider - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - MESSAGEQUEUE_HOST: edgex-redis - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" - SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider - SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 - SECRETSTORE_RUNTIMETOKENPROVIDER_PROTOCOL: https - SECRETSTORE_RUNTIMETOKENPROVIDER_REQUIREDSECRETS: redisdb - SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org - SERVICE_HOST: edgex-device-virtual - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-device-virtual - image: nexus3.edgexfoundry.org:10004/device-virtual:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59900:59900/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z - - /tmp/edgex/secrets/spiffe/public:/tmp/edgex/secrets/spiffe/public:ro,z - kong: - container_name: edgex-kong - depends_on: - - kong-db - - security-bootstrapper - entrypoint: - - /edgex-init/kong_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - KONG_ADMIN_ACCESS_LOG: /dev/stdout - KONG_ADMIN_ERROR_LOG: /dev/stderr - KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl - KONG_DATABASE: postgres - KONG_DNS_ORDER: LAST,A,CNAME - KONG_DNS_VALID_TTL: '1' - KONG_NGINX_WORKER_PROCESSES: '1' - KONG_PG_HOST: edgex-kong-db - KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - KONG_PROXY_ACCESS_LOG: /dev/stdout - KONG_PROXY_ERROR_LOG: /dev/stderr - KONG_SSL_CIPHER_SUITE: modern - KONG_STATUS_LISTEN: 0.0.0.0:8100 - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong - image: kong:2.6.1 - networks: - edgex-network: {} - ports: - - 8000:8000/tcp - - 127.0.0.1:8100:8100/tcp - - 8443:8443/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - - /tmp - tty: true - user: kong:nogroup - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - - postgres-config:/tmp/postgres-config:z - - kong:/usr/local/kong:z - kong-db: - container_name: edgex-kong-db - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/postgres_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_SECURITY_SECRET_STORE: "true" - POSTGRES_DB: kong - POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword - POSTGRES_USER: kong - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kong-db - image: postgres:13.5-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:5432:5432/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /var/run - - /tmp - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - postgres-config:/tmp/postgres-config:z - - postgres-data:/var/lib/postgresql/data:z - metadata: - command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-core-metadata - depends_on: - - consul - - database - - notifications - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - NOTIFICATIONS_SENDER: edgex-core-metadata - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-core-metadata - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-core-metadata - image: nexus3.edgexfoundry.org:10004/core-metadata:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59881:59881/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z - notifications: - command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-notifications - depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-notifications - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-notifications - image: nexus3.edgexfoundry.org:10004/support-notifications:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59860:59860/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z - proxy-setup: - container_name: edgex-security-proxy-setup - depends_on: - - kong - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/proxy_setup_wait_install.sh - environment: - ADD_PROXY_ROUTE: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_SECURITY_SECRET_STORE: "true" - KONGURL_SERVER: edgex-kong - PROXY_SETUP_HOST: edgex-security-proxy-setup - ROUTES_CORE_COMMAND_HOST: edgex-core-command - ROUTES_CORE_CONSUL_HOST: edgex-core-consul - ROUTES_CORE_DATA_HOST: edgex-core-data - ROUTES_CORE_METADATA_HOST: edgex-core-metadata - ROUTES_DEVICE_VIRTUAL_HOST: device-virtual - ROUTES_RULES_ENGINE_HOST: edgex-kuiper - ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-proxy-setup - image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest - networks: - edgex-network: {} - read_only: true - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z - - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z - rulesengine: - container_name: edgex-kuiper - depends_on: - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/kuiper_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CONNECTION__EDGEX__REDISMSGBUS__PORT: 6379 - CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis - CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis - CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis - EDGEX__DEFAULT__PORT: 6379 - EDGEX__DEFAULT__PROTOCOL: redis - EDGEX__DEFAULT__SERVER: edgex-redis - EDGEX__DEFAULT__TOPIC: rules-events - EDGEX__DEFAULT__TYPE: redis - KUIPER__BASIC__CONSOLELOG: "true" - KUIPER__BASIC__RESTPORT: 59720 - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-kuiper - image: lfedge/ekuiper:1.4.4-alpine - networks: - edgex-network: {} - ports: - - 127.0.0.1:59720:59720/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: kuiper:kuiper - volumes: - - edgex-init:/edgex-init:ro,z - - kuiper-data:/kuiper/data:z - - kuiper-connections:/kuiper/etc/connections:z - - kuiper-sources:/kuiper/etc/sources:z - scheduler: - command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry - --confdir=/res - container_name: edgex-support-scheduler - depends_on: - - consul - - database - - secretstore-setup - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data - INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-support-scheduler - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-support-scheduler - image: nexus3.edgexfoundry.org:10004/support-scheduler:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59861:59861/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z - secretstore-setup: - container_name: edgex-security-secretstore-setup - depends_on: - - security-bootstrapper - - vault - environment: - ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-virtual] - ADD_SECRETSTORE_TOKENS: '' - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_SECURITY_SECRET_STORE: "true" - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SECUREMESSAGEBUS_TYPE: redis - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-secretstore-setup - image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - - /vault - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets:/tmp/edgex/secrets:z - - kong:/tmp/kong:z - - kuiper-sources:/tmp/kuiper:z - - kuiper-connections:/tmp/kuiper-connections:z - - vault-config:/vault/config:z - security-bootstrapper: - container_name: edgex-security-bootstrapper - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - EDGEX_GROUP: '2001' - EDGEX_USER: '2002' - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-bootstrapper - image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: root:root - volumes: - - edgex-init:/edgex-init:z - security-spiffe-token-provider: - command: /security-spiffe-token-provider -cp=consul.http://edgex-core-consul:8500 - --registry --confdir=/res - container_name: edgex-security-spiffe-token-provider - depends_on: - - consul - - security-bootstrapper - - security-spire-agent - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-security-spiffe-token-provider - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spiffe-token-provider - image: nexus3.edgexfoundry.org:10004/security-spiffe-token-provider:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:59841:59841/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/security-spiffe-token-provider:/tmp/edgex/secrets/security-spiffe-token-provider:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - security-spire-agent: - command: docker-entrypoint.sh - container_name: edgex-security-spire-agent - depends_on: - - security-spire-server - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-agent - image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest - networks: - edgex-network: {} - pid: host - privileged: true - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - spire-agent:/srv/spiffe/agent:z - - spire-ca:/srv/spiffe/ca:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - - /var/run/docker.sock:/var/run/docker.sock:rw - security-spire-config: - command: docker-entrypoint.sh - container_name: edgex-security-spire-config - depends_on: - - security-spire-agent - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-config - image: nexus3.edgexfoundry.org:10004/security-spire-config:latest - networks: - edgex-network: {} - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - security-spire-server: - command: docker-entrypoint.sh - container_name: edgex-security-spire-server - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-security-spire-server - image: nexus3.edgexfoundry.org:10004/security-spire-server:latest - networks: - edgex-network: {} - pid: host - ports: - - 127.0.0.1:59840:59840/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - tmpfs: - - /run - user: root:root - volumes: - - edgex-init:/edgex-init:z - - spire-ca:/srv/spiffe/ca:z - - spire-server:/srv/spiffe/server:z - - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - system: - command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res - container_name: edgex-sys-mgmt-agent - depends_on: - - command - - consul - - data - - metadata - - notifications - - scheduler - - security-bootstrapper - entrypoint: - - /edgex-init/ready_to_run_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - CLIENTS_CORE_COMMAND_HOST: edgex-core-command - CLIENTS_CORE_DATA_HOST: edgex-core-data - CLIENTS_CORE_METADATA_HOST: edgex-core-metadata - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications - CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler - DATABASES_PRIMARY_HOST: edgex-redis - EDGEX_SECURITY_SECRET_STORE: "true" - EXECUTORPATH: /sys-mgmt-executor - METRICSMECHANISM: executor - PROXY_SETUP_HOST: edgex-security-proxy-setup - REGISTRY_HOST: edgex-core-consul - SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' - SERVICE_HOST: edgex-sys-mgmt-agent - SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock - SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle - SPIFFE_TRUSTDOMAIN: edgexfoundry.org - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - hostname: edgex-sys-mgmt-agent - image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest - networks: - edgex-network: {} - ports: - - 127.0.0.1:58890:58890/tcp - read_only: true - restart: always - security_opt: - - label:disable - - no-new-privileges:true - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z - - /var/run/docker.sock:/var/run/docker.sock:z - ui: - container_name: edgex-ui-go - environment: - EDGEX_SECURITY_SECRET_STORE: "true" - hostname: edgex-ui-go - image: nexus3.edgexfoundry.org:10004/edgex-ui:latest - networks: - edgex-network: {} - ports: - - 4000:4000/tcp - read_only: true - restart: always - security_opt: - - no-new-privileges:true - user: 2002:2001 - vault: - cap_add: - - IPC_LOCK - command: server - container_name: edgex-vault - depends_on: - - security-bootstrapper - entrypoint: - - /edgex-init/vault_wait_install.sh - environment: - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: '8100' - PROXY_SETUP_HOST: edgex-security-proxy-setup - STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper - STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' - STAGEGATE_DATABASE_HOST: edgex-redis - STAGEGATE_DATABASE_PORT: '6379' - STAGEGATE_DATABASE_READYPORT: '6379' - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: '5432' - STAGEGATE_KONGDB_READYPORT: '54325' - STAGEGATE_READY_TORUNPORT: '54329' - STAGEGATE_REGISTRY_HOST: edgex-core-consul - STAGEGATE_REGISTRY_PORT: '8500' - STAGEGATE_REGISTRY_READYPORT: '54324' - STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup - STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' - STAGEGATE_WAITFOR_TIMEOUT: 60s - VAULT_ADDR: http://edgex-vault:8200 - VAULT_CONFIG_DIR: /vault/config - VAULT_UI: "true" - hostname: edgex-vault - image: vault:1.8.9 - networks: - edgex-network: {} - ports: - - 127.0.0.1:8200:8200/tcp - restart: always - tmpfs: - - /vault/config - user: root:root - volumes: - - edgex-init:/edgex-init:ro,z - - vault-file:/vault/file:z - - vault-logs:/vault/logs:z -version: '3.7' -volumes: - consul-acl-token: {} - consul-config: {} - consul-data: {} - db-data: {} - edgex-init: {} - kong: {} - kuiper-connections: {} - kuiper-data: {} - kuiper-sources: {} - postgres-config: {} - postgres-data: {} - redis-config: {} - spire-agent: {} - spire-ca: {} - spire-server: {} - vault-config: {} - vault-file: {} - vault-logs: {} - diff --git a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml index 5d295f11..e4b2bfe1 100644 --- a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml +++ b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml @@ -1,4 +1,4 @@ -# * Copyright 2022 Intel Corporation. +# * Copyright 2023 Intel Corporation. # * # * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except # * in compliance with the License. You may obtain a copy of the License at @@ -16,7 +16,7 @@ networks: driver: bridge services: sshd-remote: - image: edgex-sshd-remote:latest + image: edgex-sshd-remote:3.0.0 build: context: sshd-remote container_name: edgex-sshd-remote @@ -50,7 +50,7 @@ services: depends_on: - sshd-remote hostname: edgex-security-spire-agent - image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest + image: nexus3.edgexfoundry.org:10004/security-spire-agent:3.0.0 networks: edgex-network: {} pid: host @@ -67,7 +67,7 @@ services: - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z - /var/run/docker.sock:/var/run/docker.sock:rw device-virtual: - command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry container_name: edgex-device-virtual depends_on: - remote-spire-agent diff --git a/security/remote_devices/spiffe_and_ssh/remote/remote-spire-agent/Dockerfile b/security/remote_devices/spiffe_and_ssh/remote/remote-spire-agent/Dockerfile index 2d9db44b..bbd3a4fc 100644 --- a/security/remote_devices/spiffe_and_ssh/remote/remote-spire-agent/Dockerfile +++ b/security/remote_devices/spiffe_and_ssh/remote/remote-spire-agent/Dockerfile @@ -1,5 +1,5 @@ # ---------------------------------------------------------------------------------- -# Copyright 2022 Intel Corporation +# Copyright 2023 Intel Corporation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +16,7 @@ # ---------------------------------------------------------------------------------- # Build utility container -ARG BUILDER_BASE=golang:1.17-alpine3.15 +ARG BUILDER_BASE=golang:1.20-alpine3.17 FROM ${BUILDER_BASE} AS builder WORKDIR /edgex-go @@ -25,7 +25,7 @@ RUN sed -e 's/dl-cdn[.]alpinelinux.org/nl.alpinelinux.org/g' -i~ /etc/apk/reposi RUN apk add --update --no-cache make git build-base curl -ARG SPIRE_RELEASE=1.2.1 +ARG SPIRE_RELEASE=1.6.3 # build spire from the source in order to be compatible with arch arm64 as well RUN mkdir -p spire-build @@ -36,7 +36,7 @@ RUN wget -q "https://github.com/spiffe/spire/archive/refs/tags/v${SPIRE_RELEASE} make bin/spire-server bin/spire-agent # Deployment image -FROM alpine:3.15 +FROM alpine:3.17 LABEL license='SPDX-License-Identifier: Apache-2.0' \ copyright='Copyright (c) 2022 Intel Corporation' From a8bd15fc5a7aede9cd418e358a9515b0beb73454 Mon Sep 17 00:00:00 2001 From: Jim Wang Date: Fri, 2 Jun 2023 11:49:46 -0700 Subject: [PATCH 2/4] fix: add the previous original docker-compose files back Signed-off-by: Jim Wang --- .../local/docker-compose.yml.2.x | 1296 +++++++++++++++++ .../remote/docker-compose.yml.2.x | 107 ++ 2 files changed, 1403 insertions(+) create mode 100644 security/remote_devices/spiffe_and_ssh/local/docker-compose.yml.2.x create mode 100644 security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml.2.x diff --git a/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml.2.x b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml.2.x new file mode 100644 index 00000000..f6891915 --- /dev/null +++ b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml.2.x @@ -0,0 +1,1296 @@ +networks: + edgex-network: + driver: bridge +services: + app-service-rules: + command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-app-rules-engine + depends_on: + - consul + - data + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_PROFILE: rules-engine + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-app-rules-engine + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis + TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis + hostname: edgex-app-rules-engine + image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59701:59701/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z + command: + command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-command + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-command + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-command + image: nexus3.edgexfoundry.org:10004/core-command:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59882:59882/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z + consul: + command: agent -ui -bootstrap -server -client 0.0.0.0 + container_name: edgex-core-consul + depends_on: + - security-bootstrapper + - vault + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + ADD_REGISTRY_ACL_ROLES: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: consul:1.10.10 + networks: + edgex-network: {} + ports: + - 127.0.0.1:8500:8500/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - consul-config:/consul/config:z + - consul-data:/consul/data:z + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z + - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z + data: + command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-data + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json + SERVICE_HOST: edgex-core-data + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-data + image: nexus3.edgexfoundry.org:10004/core-data:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:5563:5563/tcp + - 127.0.0.1:59880:59880/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z + database: + container_name: edgex-redis + depends_on: + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/redis_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASECONFIG_NAME: redis.conf + DATABASECONFIG_PATH: /run/redis/conf + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-redis + image: redis:6.2.6-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:6379:6379/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - db-data:/data:z + - edgex-init:/edgex-init:ro,z + - redis-config:/run/redis/conf:z + - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z + ### =============== + ### BEGIN REMOVED CONTENT + ### =============== + # device-virtual: + # command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + # container_name: edgex-device-virtual + # depends_on: + # - consul + # - data + # - metadata + # - security-bootstrapper + # - security-spiffe-token-provider + # entrypoint: + # - /edgex-init/ready_to_run_wait_install.sh + # environment: + # API_GATEWAY_HOST: edgex-kong + # API_GATEWAY_STATUS_PORT: '8100' + # CLIENTS_CORE_COMMAND_HOST: edgex-core-command + # CLIENTS_CORE_DATA_HOST: edgex-core-data + # CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + # CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + # CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + # DATABASES_PRIMARY_HOST: edgex-redis + # EDGEX_SECURITY_SECRET_STORE: "true" + # MESSAGEQUEUE_HOST: edgex-redis + # PROXY_SETUP_HOST: edgex-security-proxy-setup + # REGISTRY_HOST: edgex-core-consul + # SECRETSTORE_HOST: edgex-vault + # SECRETSTORE_PORT: '8200' + # SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" + # SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + # SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider + # SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 + # SECRETSTORE_RUNTIMETOKENPROVIDER_PROTOCOL: https + # SECRETSTORE_RUNTIMETOKENPROVIDER_REQUIREDSECRETS: redisdb + # SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org + # SERVICE_HOST: edgex-device-virtual + # SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + # SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + # SPIFFE_TRUSTDOMAIN: edgexfoundry.org + # STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + # STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + # STAGEGATE_DATABASE_HOST: edgex-redis + # STAGEGATE_DATABASE_PORT: '6379' + # STAGEGATE_DATABASE_READYPORT: '6379' + # STAGEGATE_KONGDB_HOST: edgex-kong-db + # STAGEGATE_KONGDB_PORT: '5432' + # STAGEGATE_KONGDB_READYPORT: '54325' + # STAGEGATE_READY_TORUNPORT: '54329' + # STAGEGATE_REGISTRY_HOST: edgex-core-consul + # STAGEGATE_REGISTRY_PORT: '8500' + # STAGEGATE_REGISTRY_READYPORT: '54324' + # STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + # STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + # STAGEGATE_WAITFOR_TIMEOUT: 60s + # hostname: edgex-device-virtual + # image: nexus3.edgexfoundry.org:10004/device-virtual:latest + # networks: + # edgex-network: {} + # ports: + # - 127.0.0.1:59900:59900/tcp + # read_only: true + # restart: always + # security_opt: + # - no-new-privileges:true + # user: 2002:2001 + # volumes: + # - edgex-init:/edgex-init:ro,z + # - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + # - /tmp/edgex/secrets/spiffe/public:/tmp/edgex/secrets/spiffe/public:ro,z + ### =============== + ### END REMOVED CONTENT + ### =============== + kong: + container_name: edgex-kong + depends_on: + - kong-db + - security-bootstrapper + entrypoint: + - /edgex-init/kong_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl + KONG_DATABASE: postgres + KONG_DNS_ORDER: LAST,A,CNAME + KONG_DNS_VALID_TTL: '1' + KONG_NGINX_WORKER_PROCESSES: '1' + KONG_PG_HOST: edgex-kong-db + KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + KONG_PROXY_ACCESS_LOG: /dev/stdout + KONG_PROXY_ERROR_LOG: /dev/stderr + KONG_SSL_CIPHER_SUITE: modern + KONG_STATUS_LISTEN: 0.0.0.0:8100 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong + image: kong:2.6.1 + networks: + edgex-network: {} + ports: + - 8000:8000/tcp + - 127.0.0.1:8100:8100/tcp + - 8443:8443/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /tmp + tty: true + user: kong:nogroup + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + - postgres-config:/tmp/postgres-config:z + - kong:/usr/local/kong:z + kong-db: + container_name: edgex-kong-db + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/postgres_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + POSTGRES_DB: kong + POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + POSTGRES_USER: kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong-db + image: postgres:13.5-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:5432:5432/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /var/run + - /tmp + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - postgres-config:/tmp/postgres-config:z + - postgres-data:/var/lib/postgresql/data:z + metadata: + command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-metadata + depends_on: + - consul + - database + - notifications + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + NOTIFICATIONS_SENDER: edgex-core-metadata + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-metadata + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59881:59881/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z + notifications: + command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-notifications + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-notifications + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59860:59860/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z + proxy-setup: + container_name: edgex-security-proxy-setup + depends_on: + - kong + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/proxy_setup_wait_install.sh + environment: + ADD_PROXY_ROUTE: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + KONGURL_SERVER: edgex-kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + ROUTES_CORE_COMMAND_HOST: edgex-core-command + ROUTES_CORE_CONSUL_HOST: edgex-core-consul + ROUTES_CORE_DATA_HOST: edgex-core-data + ROUTES_CORE_METADATA_HOST: edgex-core-metadata + ROUTES_DEVICE_VIRTUAL_HOST: device-virtual + ROUTES_RULES_ENGINE_HOST: edgex-kuiper + ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + networks: + edgex-network: {} + read_only: true + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + rulesengine: + container_name: edgex-kuiper + depends_on: + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/kuiper_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CONNECTION__EDGEX__REDISMSGBUS__PORT: 6379 + CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL: redis + CONNECTION__EDGEX__REDISMSGBUS__SERVER: edgex-redis + CONNECTION__EDGEX__REDISMSGBUS__TYPE: redis + EDGEX__DEFAULT__PORT: 6379 + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: rules-events + EDGEX__DEFAULT__TYPE: redis + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__RESTPORT: 59720 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kuiper + image: lfedge/ekuiper:1.4.4-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:59720:59720/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: kuiper:kuiper + volumes: + - edgex-init:/edgex-init:ro,z + - kuiper-data:/kuiper/data:z + - kuiper-connections:/kuiper/etc/connections:z + - kuiper-sources:/kuiper/etc/sources:z + scheduler: + command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-scheduler + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-scheduler + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59861:59861/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z + secretstore-setup: + container_name: edgex-security-secretstore-setup + depends_on: + - security-bootstrapper + - vault + environment: + ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-virtual] + ADD_SECRETSTORE_TOKENS: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECUREMESSAGEBUS_TYPE: redis + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-secretstore-setup + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /vault + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets:/tmp/edgex/secrets:z + - kong:/tmp/kong:z + - kuiper-sources:/tmp/kuiper:z + - kuiper-connections:/tmp/kuiper-connections:z + - vault-config:/vault/config:z + security-bootstrapper: + container_name: edgex-security-bootstrapper + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:z + security-spiffe-token-provider: + command: /security-spiffe-token-provider -cp=consul.http://edgex-core-consul:8500 + --registry --confdir=/res + container_name: edgex-security-spiffe-token-provider + depends_on: + - consul + - security-bootstrapper + - security-spire-agent + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-security-spiffe-token-provider + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-spiffe-token-provider + image: nexus3.edgexfoundry.org:10004/security-spiffe-token-provider:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59841:59841/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:z + - /tmp/edgex/secrets/security-spiffe-token-provider:/tmp/edgex/secrets/security-spiffe-token-provider:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + security-spire-agent: + command: docker-entrypoint.sh + container_name: edgex-security-spire-agent + depends_on: + - security-spire-server + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-spire-agent + image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest + networks: + edgex-network: {} + pid: host + privileged: true + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:z + - spire-agent:/srv/spiffe/agent:z + - spire-ca:/srv/spiffe/ca:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + - /var/run/docker.sock:/var/run/docker.sock:rw + security-spire-config: + command: docker-entrypoint.sh + container_name: edgex-security-spire-config + depends_on: + - security-spire-agent + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-spire-config + image: nexus3.edgexfoundry.org:10004/security-spire-config:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + security-spire-server: + command: docker-entrypoint.sh + container_name: edgex-security-spire-server + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-spire-server + image: nexus3.edgexfoundry.org:10004/security-spire-server:latest + networks: + edgex-network: {} + pid: host + ports: + - 127.0.0.1:59840:59840/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:z + - spire-ca:/srv/spiffe/ca:z + - spire-server:/srv/spiffe/server:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + system: + command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-sys-mgmt-agent + depends_on: + - command + - consul + - data + - metadata + - notifications + - scheduler + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + EXECUTORPATH: /sys-mgmt-executor + METRICSMECHANISM: executor + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-sys-mgmt-agent + SPIFFE_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SPIFFE_TRUSTBUNDLE_PATH: /tmp/edgex/secrets/spiffe/trust/bundle + SPIFFE_TRUSTDOMAIN: edgexfoundry.org + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-sys-mgmt-agent + image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:58890:58890/tcp + read_only: true + restart: always + security_opt: + - label:disable + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z + - /var/run/docker.sock:/var/run/docker.sock:z + ui: + container_name: edgex-ui-go + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + hostname: edgex-ui-go + image: nexus3.edgexfoundry.org:10004/edgex-ui:latest + networks: + edgex-network: {} + ports: + - 4000:4000/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + vault: + cap_add: + - IPC_LOCK + command: server + container_name: edgex-vault + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/vault_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + VAULT_CONFIG_DIR: /vault/config + VAULT_UI: "true" + hostname: edgex-vault + image: vault:1.8.9 + networks: + edgex-network: {} + ports: + - 127.0.0.1:8200:8200/tcp + restart: always + tmpfs: + - /vault/config + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - vault-file:/vault/file:z + - vault-logs:/vault/logs:z + ### ================= + ### BEGIN NEW CONTENT + ### ================= + device-ssh-proxy: + build: + context: device-ssh-proxy + command: docker-entrypoint.sh + container_name: edgex-device-ssh-proxy + depends_on: + - consul + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + MESSAGEQUEUE_HOST: edgex-redis + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_WAITFOR_TIMEOUT: '60s' + # Unique for ssh-proxy + SERVICE_HOST: edgex-device-virtual + SERVICE_PORT: 59900 + TUNNEL_HOST: 192.168.122.193 + TUNNEL_SSH_PORT: 2223 + SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider + SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 + SECURITY_SPIRE_SERVER_HOST: edgex-security-spire-server + SECURITY_SPIRE_SERVER_PORT: 59840 + hostname: edgex-device-ssh-proxy + image: device-ssh-proxy:latest + networks: + edgex-network: + aliases: + - edgex-device-virtual + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + volumes: + - edgex-init:/edgex-init:ro,z + - spire-ca:/srv/spiffe/ca:z + - spire-remote-agent:/srv/spiffe/remote-agent:z + - /tmp/edgex/secrets/spiffe/trust:/tmp/edgex/secrets/spiffe/trust:ro,z + - $PWD/ssh_keys:/root/.ssh + ### =============== + ### END NEW CONTENT + ### =============== +version: '3.7' +volumes: + consul-acl-token: {} + consul-config: {} + consul-data: {} + db-data: {} + edgex-init: {} + kong: {} + kuiper-connections: {} + kuiper-data: {} + kuiper-sources: {} + postgres-config: {} + postgres-data: {} + redis-config: {} + spire-agent: {} + ### =============== + ### BEGIN NEW CONTENT + ### =============== + spire-remote-agent: {} + ### =============== + ### END NEW CONTENT + ### =============== + spire-ca: {} + spire-server: {} + vault-config: {} + vault-file: {} + vault-logs: {} + diff --git a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml.2.x b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml.2.x new file mode 100644 index 00000000..5d295f11 --- /dev/null +++ b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml.2.x @@ -0,0 +1,107 @@ +# * Copyright 2022 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# *******************************************************************************/ + +networks: + edgex-network: + driver: bridge +services: + sshd-remote: + image: edgex-sshd-remote:latest + build: + context: sshd-remote + container_name: edgex-sshd-remote + hostname: edgex-sshd-remote + ports: + - "2223:22" + read_only: true + restart: always + security_opt: + - no-new-privileges:true + networks: + edgex-network: + aliases: + - edgex-core-consul + - edgex-core-data + - edgex-core-metadata + - edgex-redis + - edgex-security-spire-server + - edgex-security-spiffe-token-provider + - edgex-vault + tmpfs: + - /run + volumes: + - spire-remote-agent:/srv/spiffe/remote-agent:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + remote-spire-agent: + build: + context: remote-spire-agent + command: docker-entrypoint.sh + container_name: edgex-remote-spire-agent + depends_on: + - sshd-remote + hostname: edgex-security-spire-agent + image: nexus3.edgexfoundry.org:10004/security-spire-agent:latest + networks: + edgex-network: {} + pid: host + privileged: true + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - spire-remote-agent:/srv/spiffe/remote-agent:z + - /tmp/edgex/secrets/spiffe:/tmp/edgex/secrets/spiffe:z + - /var/run/docker.sock:/var/run/docker.sock:rw + device-virtual: + command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-virtual + depends_on: + - remote-spire-agent + environment: + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" + SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock + SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider + SECRETSTORE_RUNTIMETOKENPROVIDER_PORT: 59841 + SECRETSTORE_RUNTIMETOKENPROVIDER_PROTOCOL: https + SECRETSTORE_RUNTIMETOKENPROVIDER_REQUIREDSECRETS: redisdb + SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org + SERVICE_HOST: edgex-device-virtual + hostname: edgex-device-virtual + image: nexus3.edgexfoundry.org:10004/device-virtual:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + - /tmp/edgex/secrets/spiffe/public:/tmp/edgex/secrets/spiffe/public:ro,z +version: '3.7' +volumes: + spire-remote-agent: {} From b3be91a1b7ae529001f2cdf191f12973fadaee95 Mon Sep 17 00:00:00 2001 From: Jim Wang Date: Mon, 5 Jun 2023 12:16:15 -0700 Subject: [PATCH 3/4] fix: update docker-compose command to v2 docker compose in document and makefile Signed-off-by: Jim Wang --- .../app-service-configurable-ibm/README.md | 6 +++--- .../custom/advanced-filter-convert-publish/README.md | 2 +- .../custom/advanced-target-type/README.md | 2 +- .../custom/camera-management/web-ui/Makefile | 4 ++-- .../custom/camera-management/web-ui/README.md | 6 +++--- application-services/custom/secrets/README.md | 4 ++-- application-services/custom/send-command/README.md | 2 +- .../custom/simple-cbor-filter/README.md | 2 +- deployment/raspberry-pi-4/20_install_packages.md | 10 +++++----- deployment/raspberry-pi-4/30_install_edgex.md | 8 ++++---- deployment/raspberry-pi-4/40_custom_device_services.md | 2 +- deployment/raspberry-pi-4/50_custom_app_services.md | 2 +- 12 files changed, 25 insertions(+), 25 deletions(-) diff --git a/application-services/configurable/app-service-configurable-ibm/README.md b/application-services/configurable/app-service-configurable-ibm/README.md index 1e07212c..7d0e1f2d 100644 --- a/application-services/configurable/app-service-configurable-ibm/README.md +++ b/application-services/configurable/app-service-configurable-ibm/README.md @@ -89,13 +89,13 @@ EdgeX provides an [App-Service-Configurable](https://github.com/edgexfoundry/app * Note the volume mount of the `ibm-mqtt-export` profile at the bottom of the above snippet. * Start the EdgeX services including your new `app-ibm-mqtt-export` Application Service ```bash - docker-compose -p edgex up -d + docker compose -p edgex up -d ``` - View the running containers. ```bash - docker-compose -p edgex ps + docker compose -p edgex ps ``` ```bash @@ -118,7 +118,7 @@ EdgeX provides an [App-Service-Configurable](https://github.com/edgexfoundry/app - Check the logs for `app-ibm-mqtt-export` ```bash - docker-compose -p edgex logs app-ibm-mqtt-export + docker compose -p edgex logs app-ibm-mqtt-export ``` ```bash diff --git a/application-services/custom/advanced-filter-convert-publish/README.md b/application-services/custom/advanced-filter-convert-publish/README.md index 6c891182..11bf8d99 100644 --- a/application-services/custom/advanced-filter-convert-publish/README.md +++ b/application-services/custom/advanced-filter-convert-publish/README.md @@ -20,7 +20,7 @@ TODO: Update link to `minnesota` branch - [ ] start edgex which includes Device Virtual ``` - docker-compose -p edgex -f docker-compose-no-secty.yml up -d + docker compose -p edgex -f docker-compose-no-secty.yml up -d ``` 2. Build & run **Advanced App Functions** example diff --git a/application-services/custom/advanced-target-type/README.md b/application-services/custom/advanced-target-type/README.md index 2958f4b6..e2a97b28 100644 --- a/application-services/custom/advanced-target-type/README.md +++ b/application-services/custom/advanced-target-type/README.md @@ -11,7 +11,7 @@ To run this example: - [ ] start edgex which includes Device Virtual ``` - docker-compose -p edgex -f docker-compose-no-secty.yml up -d + docker compose -p edgex -f docker-compose-no-secty.yml up -d ``` 1. Clone **[edgex-examples](https://github.com/edgexfoundry/edgex-examples)** repo diff --git a/application-services/custom/camera-management/web-ui/Makefile b/application-services/custom/camera-management/web-ui/Makefile index b093b359..61857ff7 100644 --- a/application-services/custom/camera-management/web-ui/Makefile +++ b/application-services/custom/camera-management/web-ui/Makefile @@ -45,8 +45,8 @@ DOCKER_RUN_EX = docker run \ # usage: $(DOCKER_RUN) command here DOCKER_RUN = $(call DOCKER_RUN_EX,) -# default docker-compose command and arguments -DOCKER_COMPOSE = docker-compose -f docker-compose.yml -p camera-management-web-ui +# default docker compose command and arguments +DOCKER_COMPOSE = docker compose -f docker-compose.yml -p camera-management-web-ui OPEN = xdg-open diff --git a/application-services/custom/camera-management/web-ui/README.md b/application-services/custom/camera-management/web-ui/README.md index 4e47875a..d307e662 100644 --- a/application-services/custom/camera-management/web-ui/README.md +++ b/application-services/custom/camera-management/web-ui/README.md @@ -9,7 +9,7 @@ The Camera Management Web UI is an Angular interface that provides features such ## How do I build this thing? -This project is intended to be built and run using only `make`, `docker`, and `docker-compose` without the need +This project is intended to be built and run using only `make`, `docker`, and `docker compose` without the need for installing `npm` or `nodejs`. To skip the technical details, jump to **[Initial Setup](#Initial-Setup)** @@ -119,10 +119,10 @@ make force-install # Desktop x11 environment is mapped and programs such as google-chrome can be ran in GUI mode make debug -# Tail docker-compose logs (`n` is optional amount of lines to tail first) +# Tail docker compose logs (`n` is optional amount of lines to tail first) make tail [n=XXX] -# Prints docker-compose logs and exits (`n` is optional amount of lines to print) +# Prints docker compose logs and exits (`n` is optional amount of lines to print) make logs [n=XXX] # Generate documentation diff --git a/application-services/custom/secrets/README.md b/application-services/custom/secrets/README.md index 92516792..e2a909fc 100644 --- a/application-services/custom/secrets/README.md +++ b/application-services/custom/secrets/README.md @@ -41,13 +41,13 @@ Please refer to the [Application Functions SDK documentation](https://docs.edgex Run the following command from the same folder the compose file resides. ```console - docker-compose -p edgex up -d + docker compose -p edgex up -d ``` Now all the EdgeX service will be running. This can be verified by running the following command: ```console - docker-compose -p edgex ps + docker compose -p edgex ps ``` Which will output the following: diff --git a/application-services/custom/send-command/README.md b/application-services/custom/send-command/README.md index d6728151..f757869a 100644 --- a/application-services/custom/send-command/README.md +++ b/application-services/custom/send-command/README.md @@ -11,7 +11,7 @@ This Application Service example demonstrates how to use the `Command` client to * Ensure that EdgeX is running including Device Virtual Service. Run the follow command to achieve this ```bash - curl https://raw.githubusercontent.com/edgexfoundry/edgex-compose/ireland/docker-compose-no-secty.yml -o docker-compose.yml; docker-compose -p edgex up -d + curl https://raw.githubusercontent.com/edgexfoundry/edgex-compose/ireland/docker-compose-no-secty.yml -o docker-compose.yml; docker compose -p edgex up -d ``` - Install PostMan (https://www.postman.com/) diff --git a/application-services/custom/simple-cbor-filter/README.md b/application-services/custom/simple-cbor-filter/README.md index d34e32e1..249937de 100644 --- a/application-services/custom/simple-cbor-filter/README.md +++ b/application-services/custom/simple-cbor-filter/README.md @@ -18,7 +18,7 @@ TODO: replace 'main' with 'minnesota' - [ ] start edgex ``` - docker-compose -p edgex -f docker-compose-no-secty.yml up -d + docker compose -p edgex -f docker-compose-no-secty.yml up -d ``` 3. Build & run **simple-cbor-filter** example diff --git a/deployment/raspberry-pi-4/20_install_packages.md b/deployment/raspberry-pi-4/20_install_packages.md index bfa114eb..bcf4701f 100644 --- a/deployment/raspberry-pi-4/20_install_packages.md +++ b/deployment/raspberry-pi-4/20_install_packages.md @@ -102,18 +102,18 @@ Build: $Id: 6a6c9c332d5354ddf1f8a2da3cc477bd18d2be53 $
-## 2.6 Install Docker and Docker-compose +## 2.6 Install Docker and Docker compose v2 -Docker is a containerization platform/tool. EdgeX' core services are conveniently packaged as docker containers so that we can leverage Docker to run EdgeX. To install Docker and Docker-compose: +Docker is a containerization platform/tool. EdgeX' core services are conveniently packaged as docker containers so that we can leverage Docker to run EdgeX. To install Docker and Docker compose v2: ```sh # Install Docker $ sudo apt install -y docker.io # To confirm the versions installed $ docker -v -Docker version 20.10.7, build 20.10.7-0ubuntu5.1 -$ docker-compose -v -docker-compose version 1.27.4, build unknown +Docker version 20.10.21, build baeda1f +$ docker compose version +Docker Compose version v2.16.0 # Enable and start the Docker daemon $ sudo systemctl enable docker diff --git a/deployment/raspberry-pi-4/30_install_edgex.md b/deployment/raspberry-pi-4/30_install_edgex.md index 9aef8459..71013648 100644 --- a/deployment/raspberry-pi-4/30_install_edgex.md +++ b/deployment/raspberry-pi-4/30_install_edgex.md @@ -45,7 +45,7 @@ taf # With these criteria, we will use "docker-compose-no-secty-arm64.yml". # This command launches the stack but might take couple minutes depends on the network. -$ docker-compose -f docker-compose-no-secty-arm64.yml up -d +$ docker compose -f docker-compose-no-secty-arm64.yml up -d ... Creating edgex-ui-go ... done Creating edgex-redis ... done @@ -106,9 +106,9 @@ $ curl http://localhost:59882/api/v2/ping {"apiVersion":"v2","timestamp":"Mon Jan 10 22:45:56 UTC 2022"} ``` -Also docker-compose can be used to monitor logs: +Also docker compose can be used to monitor logs: ```sh -$ docker-compose -f docker-compose-no-secty-arm64.yml logs -f +$ docker compose -f docker-compose-no-secty-arm64.yml logs -f ```
@@ -122,7 +122,7 @@ A local web service "Portainer" can be launched to monitor Docker services but i $ vi docker-compose-portainer.yml # Then launch it with this command. -$ docker-compose -f docker-compose-portainer.yml up -d +$ docker compose -f docker-compose-portainer.yml up -d ```
diff --git a/deployment/raspberry-pi-4/40_custom_device_services.md b/deployment/raspberry-pi-4/40_custom_device_services.md index 461cfd80..cd98c887 100644 --- a/deployment/raspberry-pi-4/40_custom_device_services.md +++ b/deployment/raspberry-pi-4/40_custom_device_services.md @@ -437,7 +437,7 @@ services: From there we can attempt to run the service: ```sh -$ docker-compose up --build +$ docker compose up --build ``` Please open a new terminal, login to the RPI, and use **curl** to check the state of the device service: diff --git a/deployment/raspberry-pi-4/50_custom_app_services.md b/deployment/raspberry-pi-4/50_custom_app_services.md index 5a8ec4a9..5b6245f8 100644 --- a/deployment/raspberry-pi-4/50_custom_app_services.md +++ b/deployment/raspberry-pi-4/50_custom_app_services.md @@ -303,7 +303,7 @@ services: From there we can attempt to run the service: ```sh -$ docker-compose up --build +$ docker compose up --build ``` Once services start the logs should be fairly quiet - we will need to set an echo value before the events start sending: From ff58e1e55d15fda95d952aa6df24669782f6549f Mon Sep 17 00:00:00 2001 From: Jim Wang Date: Mon, 5 Jun 2023 12:27:30 -0700 Subject: [PATCH 4/4] fix: use latest tags for those docker compose build images Signed-off-by: Jim Wang --- .../remote_devices/spiffe_and_ssh/local/docker-compose.yml | 2 +- .../remote_devices/spiffe_and_ssh/remote/docker-compose.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml index bc6a934f..1ce73ec7 100644 --- a/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml +++ b/security/remote_devices/spiffe_and_ssh/local/docker-compose.yml @@ -1406,7 +1406,7 @@ services: SECURITY_SPIRE_SERVER_HOST: edgex-security-spire-server SECURITY_SPIRE_SERVER_PORT: 59840 hostname: edgex-device-ssh-proxy - image: device-ssh-proxy:3.0.0 + image: device-ssh-proxy:latest networks: edgex-network: aliases: diff --git a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml index e4b2bfe1..fbc4a304 100644 --- a/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml +++ b/security/remote_devices/spiffe_and_ssh/remote/docker-compose.yml @@ -16,7 +16,7 @@ networks: driver: bridge services: sshd-remote: - image: edgex-sshd-remote:3.0.0 + image: edgex-sshd-remote:latest build: context: sshd-remote container_name: edgex-sshd-remote @@ -79,7 +79,7 @@ services: MESSAGEQUEUE_HOST: edgex-redis REGISTRY_HOST: edgex-core-consul SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: '8200' + SECRETSTORE_PORT: "8200" SECRETSTORE_RUNTIMETOKENPROVIDER_ENABLED: "true" SECRETSTORE_RUNTIMETOKENPROVIDER_ENDPOINTSOCKET: /tmp/edgex/secrets/spiffe/public/api.sock SECRETSTORE_RUNTIMETOKENPROVIDER_HOST: edgex-security-spiffe-token-provider @@ -89,7 +89,7 @@ services: SECRETSTORE_RUNTIMETOKENPROVIDER_TRUSTDOMAIN: edgexfoundry.org SERVICE_HOST: edgex-device-virtual hostname: edgex-device-virtual - image: nexus3.edgexfoundry.org:10004/device-virtual:latest + image: nexus3.edgexfoundry.org:10004/device-virtual:3.0.0 networks: edgex-network: {} ports: