refactor!: replace vault with openbao

BREAKING CHANGE: replace Vault with OpenBao

Signed-off-by: Ginny Guan <[email protected]>

Attribution.txt

@@ -98,22 +98,22 @@ https://bitbucket.org/bertimus9/systemstat/src/master/LICENSE
 davecgh/go-spew (ISC) https://github.com/davecgh/go-spew
 https://github.com/davecgh/go-spew/blob/master/LICENSE
 
-edgexfoundry/go-mod-bootstrap (Apache 2.0) https://github.com/edgexfoundry/go-mod-bootstrap/v3
+edgexfoundry/go-mod-bootstrap (Apache 2.0) https://github.com/edgexfoundry/go-mod-bootstrap/v4
 https://github.com/edgexfoundry/go-mod-bootstrap/blob/master/LICENSE
 
-edgexfoundry/go-mod-configuration (Apache 2.0) https://github.com/edgexfoundry/go-mod-configuration/v3
+edgexfoundry/go-mod-configuration (Apache 2.0) https://github.com/edgexfoundry/go-mod-configuration/v4
 https://github.com/edgexfoundry/go-mod-configuration/blob/master/LICENSE
 
-edgexfoundry/go-mod-core-contracts (Apache 2.0) https://github.com/edgexfoundry/go-mod-core-contracts/v3
+edgexfoundry/go-mod-core-contracts (Apache 2.0) https://github.com/edgexfoundry/go-mod-core-contracts/v4
 https://github.com/edgexfoundry/go-mod-core-contracts/blob/master/LICENSE
 
-edgexfoundry/go-mod-messaging (Apache 2.0) https://github.com/edgexfoundry/go-mod-messaging/v3
+edgexfoundry/go-mod-messaging (Apache 2.0) https://github.com/edgexfoundry/go-mod-messaging/v4
 https://github.com/edgexfoundry/go-mod-messaging/blob/master/LICENSE
 
-edgexfoundry/go-mod-registry (Apache 2.0) https://github.com/edgexfoundry/go-mod-registry/v3
+edgexfoundry/go-mod-registry (Apache 2.0) https://github.com/edgexfoundry/go-mod-registry/v4
 https://github.com/edgexfoundry/go-mod-registry/blob/master/LICENSE
 
-edgexfoundry/go-mod-secrets (Apache 2.0) https://github.com/edgexfoundry/go-mod-secrets/v3
+edgexfoundry/go-mod-secrets (Apache 2.0) https://github.com/edgexfoundry/go-mod-secrets/v4
 https://github.com/edgexfoundry/go-mod-secrets/blob/master/LICENSE
 
 gorilla/context (BSD-3) https://github.com/gorilla/context

cmd/secrets-config/res/configuration.yaml

@@ -1,22 +1,23 @@
 #
 # Copyright (c) 2023 Intel Corporation
+# Copyright (c) 2024 IOTech Ltd
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 
 LogLevel: DEBUG
 SecretStore:
-  Type: vault
+  Type: openbao
   Protocol: http
   Host: localhost
   Port: 8200
   CertPath: ""
   CaFilePath: ""
   CertFilePath: ""
   KeyFilePath: ""
-  # for root token use: /vault/config/assets
+  # for root token use: /openbao/config/assets
   # for service token use: /tmp/edgex/secrets/security-proxy-setup 
-  TokenFolderPath: /vault/config/assets
+  TokenFolderPath: /openbao/config/assets
   # for root token use: resp-init.json
   # for service token use: secrets-token.json
   TokenFile: resp-init.json

cmd/security-bootstrapper/entrypoint-scripts/vault_wait_install.sh → cmd/security-bootstrapper/entrypoint-scripts/secretstore_wait_install.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/dumb-init /bin/sh
 #  ----------------------------------------------------------------------------------
 #  Copyright (c) 2021 Intel Corporation
+#  Copyright (c) 2024 IOTech Ltd
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -17,41 +18,41 @@
 #  SPDX-License-Identifier: Apache-2.0
 #  ----------------------------------------------------------------------------------
 
-# This is customized entrypoint script for Vault.
+# This is customized entrypoint script for secret store.
 # In particular, it waits for the BootstrapPort ready to roll
 
 set -e
 
 # env settings are populated from env files of docker-compose
 
-echo "Script for waiting security bootstrapping on Vault"
+echo "Script for waiting security bootstrapping on Secret Store"
 
-DEFAULT_VAULT_LOCAL_CONFIG='
+DEFAULT_BAO_LOCAL_CONFIG='
 listener "tcp" { 
-              address = "edgex-vault:8200" 
+              address = "edgex-secret-store:8200"
               tls_disable = "1" 
-              cluster_address = "edgex-vault:8201" 
+              cluster_address = "edgex-secret-store:8201"
           } 
           backend "file" {
-              path = "/vault/file"
+              path = "/openbao/file"
           } 
           default_lease_ttl = "168h" 
           max_lease_ttl = "720h"
 '
 
-VAULT_LOCAL_CONFIG=${VAULT_LOCAL_CONFIG:-$DEFAULT_VAULT_LOCAL_CONFIG}
+BAO_LOCAL_CONFIG=${BAO_LOCAL_CONFIG:-$DEFAULT_BAO_LOCAL_CONFIG}
 
-export VAULT_LOCAL_CONFIG
+export BAO_LOCAL_CONFIG
 
-echo "$(date) VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}"
+echo "$(date) BAO_LOCAL_CONFIG: ${BAO_LOCAL_CONFIG}"
 
 if [ "$1" = 'server' ]; then
-  echo "$(date) Executing waitFor on vault $* with \
+  echo "$(date) Executing waitFor on secret store $* with \
     tcp://${STAGEGATE_BOOTSTRAPPER_HOST}:${STAGEGATE_BOOTSTRAPPER_STARTPORT}"
   /edgex-init/security-bootstrapper --configDir=/edgex-init/res waitFor \
     -uri tcp://"${STAGEGATE_BOOTSTRAPPER_HOST}":"${STAGEGATE_BOOTSTRAPPER_STARTPORT}" \
     -timeout "${STAGEGATE_WAITFOR_TIMEOUT}"
 
-  echo "$(date) Starting edgex-vault..."
+  echo "$(date) Starting edgex-secret-store..."
   exec /usr/local/bin/docker-entrypoint.sh server -log-level=info
 fi

cmd/security-bootstrapper/res/configuration.yaml

@@ -61,7 +61,7 @@ StageGate:
 # protocol, host, and port of secretstore using in the security-bootstrapper
 # we are not really using the secret store provider from go-mod-bootstrap in the code
 SecretStore:
-  Type: vault
+  Type: openbao
   Protocol: http
   Host: localhost
   Port: 8200

cmd/security-proxy-setup/entrypoint.sh

@@ -305,21 +305,21 @@ server {
       proxy_set_header   Host \$host;
     }
 
-    # Note: Vault login API does not require authentication at the gateway for obvious reasons
-    set \$upstream_vault edgex-vault;
+    # Note: OpenBao login API does not require authentication at the gateway for obvious reasons
+    set \$upstream_secret_store edgex-secret-store;
     location /vault/v1/auth/userpass/login {
 `cat "${corssnippet}"`
       rewrite            /vault/(.*) /\$1 break;
       resolver           127.0.0.11 valid=30s;
-      proxy_pass         http://\$upstream_vault:8200;
+      proxy_pass         http://\$upstream_secret_store:8200;
       proxy_redirect     off;
       proxy_set_header   Host \$host;
     }
     location /vault/v1/identity/oidc/token {
 `cat "${corssnippet}"`
       rewrite            /vault/(.*) /\$1 break;
       resolver           127.0.0.11 valid=30s;
-      proxy_pass         http://\$upstream_vault:8200;
+      proxy_pass         http://\$upstream_secret_store:8200;
       proxy_redirect     off;
       proxy_set_header   Host \$host;
     }

cmd/security-secretstore-setup/README.md

@@ -18,13 +18,13 @@ This will create an executable located at `cmd/security-secretstore-setup/` if s
 
 The binary supports multiple command line parameters
 
-| Parameter                         | Description                                                                                                    |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------|
-| -p, --profile `name`              | Indicate configuration profile other than default                                                              |
-| -r, --registry                    | Indicates service should use Registry                                                                          |
-| --insecureSkipVerify=`true/false` | Indicates if skipping the server side SSL cert verifcation, similar to -k of curl                              |
-| --configfile=`file.yaml`          | Use a different config file (default: res/configuration.yaml)                                                  |
-| --vaultInterval=`seconds`         | **Required** Indicates how long the program will pause between vault initialization attempts until it succeeds |
+| Parameter                         | Description                                                                                                           |
+|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------|
+| -p, --profile `name`              | Indicate configuration profile other than default                                                                     |
+| -r, --registry                    | Indicates service should use Registry                                                                                 |
+| --insecureSkipVerify=`true/false` | Indicates if skipping the server side SSL cert verifcation, similar to -k of curl                                     |
+| --configfile=`file.yaml`          | Use a different config file (default: res/configuration.yaml)                                                         |
+| --secretStoreInterval=`seconds`   | **Required** Indicates how long the program will pause between secret store initialization attempts until it succeeds |
 
 An example of using the parameters can be found in the following docker compose
 file:
@@ -50,19 +50,19 @@ It should create a docker image with the name `edgexfoundry/docker_security_secr
       RevokeRootTokens = false
     ```
 
-* The edgex-vault-worker uses _compose-files_vault-config_ volume to store its token. To copy the root token from edgex-vault-worker, use
+* The edgex-vault-worker uses _compose-files_secret-store-config_ volume to store its token. To copy the root token from edgex-vault-worker, use
 
     ```sh
-    docker run --rm -v compose-files_vault-config:/vault/config alpine:latest cat /vault/config/assets/resp-init.json > resp-init.json
+    docker run --rm -v compose-secret-store-config:/openbao/config alpine:latest cat /openbao/config/assets/resp-init.json > resp-init.json
     ```
 
 * To verify the root token
 
     ```sh
-    docker exec -ti edgex-vault sh -l
+    docker exec -ti edgex-secret-store sh -l
     export VAULT_SKIP_VERIFY=true
     export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
-    vault token lookup
+    bao token lookup
     ```
 
     where `s.xxxxxxxxxxxxxxxx` is the _root_token_ member of `resp-init.json`
@@ -72,19 +72,19 @@ It should create a docker image with the name `edgexfoundry/docker_security_secr
 * To explore the vault
 
     ```sh
-    docker exec -ti edgex-vault sh -l
+    docker exec -ti edgex-secret-store sh -l
     export VAULT_SKIP_VERIFY=true
     export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
-    vault kv list secret/
+    bao kv list secret/
     ```
 
-    and drill down from there. To read a key use `vault kv get` or `vault read`.
+    and drill down from there. To read a key use `bao kv get` or `bao read`.
 
     ```sh
-    docker exec -ti edgex-vault sh -l
+    docker exec -ti edgex-secret-store sh -l
     export VAULT_SKIP_VERIFY=true
     export VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
-    vault kv get /secret/edgex/redis/redis5
+    bao kv get /secret/edgex/redis/redis5
     ```
 
     Note you can set the environment variables on the docker command line with `-e` and avoid the additional shell commands.

cmd/security-secretstore-setup/entrypoint.sh

@@ -27,11 +27,11 @@ if [ ! -z "${TOKENFILEPROVIDER_OUTPUTDIR}" ]; then
 fi
 
 # create token dir, and assign perms
-mkdir -p /vault/config/assets
-chown -Rh 100:1000 /vault/
+mkdir -p /openbao/config/assets
+chown -Rh 100:1000 /openbao/
 
 echo "Initializing secret store..."
-/security-secretstore-setup --vaultInterval=10
+/security-secretstore-setup --secretStoreInterval=10
 
 # default User and Group in case never set
 if [ -z "${EDGEX_USER}" ]; then

cmd/security-secretstore-setup/res-file-token-provider/configuration.yaml

@@ -1,6 +1,6 @@
 LogLevel: DEBUG
 SecretStore:
-  Type: vault
+  Type: openbao
   Protocol: http
   Host: localhost
   Port: 8200

cmd/security-secretstore-setup/res/configuration.yaml

@@ -16,18 +16,18 @@
 
 LogLevel: DEBUG
 SecretStore:
-  Type: vault
+  Type: openbao
   Protocol: http
   Host: localhost
   Port: 8200
   CertPath: ""
   CaFilePath: ""
   CertFilePath: ""
   KeyFilePath: ""
-  TokenFolderPath: /vault/config/assets
+  TokenFolderPath: /openbao/config/assets
   TokenFile: resp-init.json
-  VaultSecretShares: 5
-  VaultSecretThreshold: 3
+  SecretShares: 5
+  SecretThreshold: 3
   TokenProvider: /security-file-token-provider
   TokenProviderArgs:
     - "-configDir"