diff --git a/.dockerignore b/.dockerignore index 773ba5a6b3..acf05c7cf8 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,2 @@ docs -*.snap -.git \ No newline at end of file +.git diff --git a/.github/Contributing.md b/.github/Contributing.md index ec85692a0b..04458f9895 100644 --- a/.github/Contributing.md +++ b/.github/Contributing.md @@ -57,7 +57,6 @@ Modules: * **core-data**: (or data) A change or addition to the core data micro service * **core-metadata**: (or metadata or meta) A change or addition to the core metatdata micro service * **core-command**: (or command or cmd) A change or addition to the core command micro service -* **snap**: A change or addition to snap packaging * **docker**: A change or addition to docker packaging * **security**: A change or addition to security micro services * **scheduler**: A change or addition to the supporting scheduler micro service diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d5c06c95d0..90c64a2f95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,7 +17,3 @@ updates: - dependency-name: "github.com/gomodule/redigo" # For github.com/gomodule/redigo, ignore version v2.0.0 versions: ["v2.0.0"] - - package-ecosystem: "gomod" - directory: "/snap/local/helper-go" - schedule: - interval: "daily" diff --git a/.github/semantic.yml b/.github/semantic.yml index 93b9865a23..ac30eafca0 100644 --- a/.github/semantic.yml +++ b/.github/semantic.yml @@ -21,7 +21,6 @@ scopes: - core-command - command - cmd - - snap - docker - security - scheduler diff --git a/.github/workflows/snap.yaml b/.github/workflows/snap.yaml deleted file mode 100644 index 3941d5ac78..0000000000 --- a/.github/workflows/snap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: Snap Testing - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - # allow manual trigger - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Build and upload snap - id: build - uses: canonical/edgex-snap-testing/build@v3 - outputs: - snap: ${{steps.build.outputs.snap}} - - test: - needs: build - runs-on: ubuntu-latest - steps: - - name: Download and test snap - uses: canonical/edgex-snap-testing/test@v3 - with: - name: edgexfoundry - snap: ${{needs.build.outputs.snap}} - diff --git a/.gitignore b/.gitignore index d16fe78800..d9ae0ef153 100644 --- a/.gitignore +++ b/.gitignore @@ -38,16 +38,5 @@ docs/_build/ # log dirs **/logs -# snap files -*.snap -*.assert -*.bz2 -*.pyc -parts/* -prime/* -stage/* -snap/.snapcraft/* -squashfs-root/ - # result files fuzz_test/fuzz_results/* diff --git a/.sonarcloud.properties b/.sonarcloud.properties index b2b1975df0..b6c5d45b6e 100644 --- a/.sonarcloud.properties +++ b/.sonarcloud.properties @@ -1,4 +1,4 @@ -sonar.exclusions=.git/*,/bin/*,/snap/**/*,**/mocks/**/*,**/*_test.go,**/vendor/** +sonar.exclusions=.git/*,/bin/*,**/mocks/**/*,**/*_test.go,**/vendor/** sonar.tests=. sonar.test.inclusions=**/*_test.go sonar.test.exclusions=**/vendor/** diff --git a/Jenkinsfile b/Jenkinsfile index 1cd765b78d..a7868f03e5 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,6 +21,5 @@ edgeXBuildGoParallel( testScript: 'make test', buildScript: 'make build', publishSwaggerDocs: true, - swaggerApiFolders: ['openapi/v3'], - buildSnap: false + swaggerApiFolders: ['openapi/v3'] ) diff --git a/README.md b/README.md index b438b48fc9..eec8fe92e6 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ EdgeX Foundry is a vendor-neutral open source project hosted by The Linux Foundation building a common open framework for IoT edge computing. At the heart of the project is an interoperability framework hosted within a full hardware- and OS-agnostic reference software platform to enable an ecosystem of plug-and-play components that unifies the marketplace and accelerates the deployment of IoT solutions. This repository contains the Go implementation of EdgeX Foundry microservices. It also includes files for building the services, containerizing the services, and initializing (bootstrapping) the services. ## Build with NATS Messaging -Currently, the NATS Messaging capability (NATS MessageBus) is opt-in at build time. This means that the published Docker images and Snaps do not include the NATS messaging capability. +Currently, the NATS Messaging capability (NATS MessageBus) is opt-in at build time. This means that the published Docker images do not include the NATS messaging capability. The following make commands will build the local binaries or local Docker images with NATS messaging capability included for the Core and Support services. @@ -58,11 +58,6 @@ Sample steps to create an access token and use the token to access EdgeX resourc ## Other installation and deployment options -### Snap Package - -The components in this repository are available as a snap package. -For more details on the snap, including how to build and install it, please refer to the [snap](snap) directory. - ### Native binaries #### Prerequisites @@ -95,7 +90,7 @@ make build #### Deploy EdgeX -Recommended deployment of EdgeX services is either Docker or Snap. See [Getting Started with Docker](https://docs.edgexfoundry.org/2.0/getting-started/Ch-GettingStartedUsers/) or [Getting Started with Snap](https://docs.edgexfoundry.org/2.0/getting-started/Ch-GettingStartedSnapUsers/) for more details. +Recommended deployment of EdgeX services is with Docker. See [Getting Started with Docker](https://docs.edgexfoundry.org/2.0/getting-started/Ch-GettingStartedUsers/) for more details. #### Hybrid for debug/testing @@ -128,7 +123,7 @@ If you want to **include** the delayed start feature in the builds for these ser INCLUDE_DELAYED_START_BUILD_CORE:="false" ``` -For support services, the delayed start feature is included by default as the default behavior of them are not started right away in Snap. Similarly, you can change the default and **exclude** it by modifying the boolean flag from `true` to `false` in the Makefile: +For support services, the delayed start feature is included by default. Similarly, you can change the default and **exclude** it by modifying the boolean flag from `true` to `false` in the Makefile: ```text INCLUDE_DELAYED_START_BUILD_SUPPORT:="true" diff --git a/cmd/security-bootstrapper/res/configuration.yaml b/cmd/security-bootstrapper/res/configuration.yaml index 7497e9cc93..ca31bcee08 100644 --- a/cmd/security-bootstrapper/res/configuration.yaml +++ b/cmd/security-bootstrapper/res/configuration.yaml @@ -60,7 +60,6 @@ StageGate: # this configuration is just part of the whole go-mod-bootstrap's secret store to have # protocol, host, and port of secretstore using in the security-bootstrapper # we are not really using the secret store provider from go-mod-bootstrap in the code -# also this is needed as snap does not have those environments from env-files SecretStore: Type: vault Protocol: http diff --git a/internal/security/bootstrapper/command/setupacl/command.go b/internal/security/bootstrapper/command/setupacl/command.go index 83dfb7fce5..594dafb8c1 100644 --- a/internal/security/bootstrapper/command/setupacl/command.go +++ b/internal/security/bootstrapper/command/setupacl/command.go @@ -176,7 +176,7 @@ func (c *cmd) Execute() (statusCode int, err error) { } // write a sentinel file to indicate Consul ACL bootstrap is done so that we don't bootstrap ACL again, - // this is to avoid re-bootstrapping error and that error can cause the snap crash if restart this process + // this is to avoid re-bootstrapping error if err := c.writeSentinelFile(); err != nil { return interfaces.StatusCodeExitWithError, fmt.Errorf("failed to write sentinel file: %v", err) } diff --git a/internal/security/bootstrapper/redis/Developer-notes.md b/internal/security/bootstrapper/redis/Developer-notes.md index d70aafccaf..bf1d76d044 100644 --- a/internal/security/bootstrapper/redis/Developer-notes.md +++ b/internal/security/bootstrapper/redis/Developer-notes.md @@ -3,7 +3,7 @@ Currently, the `security-bootstrapper` configureRedis produces the ACL configuration file for Redis' default user. Should using different ACL rules call for a debugging needs, developers could override this built-in configuration behavior as follows: - 1. Currently, the default ACL file path inside the redis.conf is pointing to the path with the file name `edgex_redis_acl.conf`. A developer can always provide his own redis config file containing the different file name (eg. developer-acl.conf) for ACL rules like adding some `dangerous` commands such as `INFO, MONITOR, BGSAVE, and FLUSHD` inside his own ACL file using `+` directive. eg.: +Currently, the default ACL file path inside the redis.conf is pointing to the path with the file name `edgex_redis_acl.conf`. A developer can always provide his own redis config file containing the different file name (eg. developer-acl.conf) for ACL rules like adding some `dangerous` commands such as `INFO, MONITOR, BGSAVE, and FLUSHD` inside his own ACL file using `+` directive. eg.: ```text user default on allkeys +@all -@dangerous #_{{.HashedRedisPwd}}_ +INFO +MONITOR +BGSAVE + FLUSHDB @@ -20,5 +20,3 @@ Should using different ACL rules call for a debugging needs, developers could ov Note that the HashedRedisPwd still needs to be come from the original dynamically created redis.conf file as it is read from secretstore Vault. A developer can also just modified the ACL file `edgex_redis_acl.conf` directly and then use `ACL LOAD` or `ACL SAVE` commands to change ACL rules assuming he/she has the right permissions to update that file. - - 2. For snap, a developer can just change `CONFIG_FILE` environment variable of snap `redis` service to point to his own above-mentioned configuration file, `developer_redis.conf` (assuming developer is putting his configuration file under the same directory eg. `$SNAP_DATA/redis/conf`; creating a new mounted file system and directory inside snapcraft is beyond the scope of this topic). diff --git a/security.txt b/security.txt index ce5ab0ce70..e7fa40417f 100644 --- a/security.txt +++ b/security.txt @@ -1,5 +1,5 @@ # This file is intended for inclusion in official EdgeX binary releases, -# such as containers and snaps. +# such as containers. # To privately report a security vulnerability in EdgeX Foundry # in the upstream open source repository hosted on github.com. diff --git a/snap/README.md b/snap/README.md deleted file mode 100644 index 3db863ec6e..0000000000 --- a/snap/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# EdgeX Platform Snap -[![edgexfoundry](https://snapcraft.io/edgexfoundry/badge.svg)][edgexfoundry] - -This directory contains the snap packaging of the EdgeX platform snap containing all reference core and security services, along with Support Scheduler and Support Notifications. - -The platform snap is built automatically and published on the Snap Store as [edgexfoundry]. - -For usage instructions, please refer to Platform Snap section in [Getting Started using Snaps][docs]. - -## Limitations - -See the [GitHub issues with snap label](https://github.com/edgexfoundry/edgex-go/issues?q=is%3Aopen+is%3Aissue+label%3Asnap) for current issues. - -## Build from source - -The snap is defined in [snapcraft.yaml](snapcraft.yaml) and built with [snapcraft](https://snapcraft.io/docs/snapcraft). - -To build, execute the following command from the top-level directory of this repo: -```bash -snapcraft -``` - -This will create a snap package with `.snap` extension. It can be installed locally by setting the `--dangerous` flag: -```bash -sudo snap install --dangerous -``` - -Refer to [this guide](https://snapcraft.io/docs/iterating-over-a-build), for tips on how to quickly debug a build. - -The [snapcraft overview](https://snapcraft.io/docs/snapcraft-overview) provides additional details. - -### Interfaces -This snap has strict [confinement](https://snapcraft.io/docs/snap-confinement) which means that it runs in isolation up to a minimum level of access. The minimum access is granted by the connected snap [interfaces](https://snapcraft.io/docs/interface-management). Some of the interfaces such as [network](https://snapcraft.io/docs/network-interface) and [network-bind](https://snapcraft.io/docs/network-bind-interface) are connected automatically. - -To see the available and connected interfaces for this snap: -``` -$ snap connections edgexfoundry -Interface Plug Slot Notes -content edgexfoundry:edgex-secretstore-token - - -home edgexfoundry:home :home - -network edgexfoundry:network :network - -network-bind edgexfoundry:network-bind :network-bind - -removable-media edgexfoundry:removable-media - - -``` - -This shows five interface *plugs*, three of which are connected to corresponding system *slots*. - -The `edgex-secretstore-token` snap plug makes it possible to send a token to locally installed EdgeX snaps, such as device and app service snaps. If both snaps are installed from the store and from the official provider, this connection would happen automatically. - -A manual connection is possible by running: -```bash -sudo snap connect edgexfoundry:edgex-secretstore-token :edgex-secretstore-token -``` - -Please refer [here][secret-store-token] for further information. - - -[edgexfoundry]: https://snapcraft.io/edgexfoundry -[docs]: https://docs.edgexfoundry.org/3.0/getting-started/Ch-GettingStartedSnapUsers/#platform-snap -[secret-store-token]: https://docs.edgexfoundry.org/3.0/getting-started/Ch-GettingStartedSnapUsers/#secret-store-token diff --git a/snap/hooks/configure b/snap/hooks/configure deleted file mode 100755 index 5adaf531d0..0000000000 --- a/snap/hooks/configure +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -exec $SNAP/bin/helper-go configure diff --git a/snap/hooks/connect-plug-edgex-secretstore-token b/snap/hooks/connect-plug-edgex-secretstore-token deleted file mode 100755 index 4131ed7f87..0000000000 --- a/snap/hooks/connect-plug-edgex-secretstore-token +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# This hook is triggered after the bind mount is added as a result of a -# connection for edgex-secretstore-token content interface. -# -# -# The connection can happen before or after security-secretstore-setup: -# -# BEFORE when a consumer snap (from the same publisher) is installed before -# the edgexfoundry snap and the content interface is auto-connected. -# -# AFTER, when: -# 1. A consumer snap (from the same publisher) is installed after the -# edgexfoundry snap and the content interface is auto-connected. -# 2. A connection to an external consumer snap is made manually after the -# installation of the edgexfoundry snap. -# -# Note: Since v2.1.0, the security-secretstore-setup is started by the configure -# hook instead of automatically after the installation. - -$SNAP/bin/security-secretstore-post-setup.sh "connect-plug-edgex-secretstore-token" diff --git a/snap/hooks/install b/snap/hooks/install deleted file mode 100755 index a42756ee54..0000000000 --- a/snap/hooks/install +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -exec $SNAP/bin/helper-go install diff --git a/snap/hooks/post-refresh b/snap/hooks/post-refresh deleted file mode 100755 index 516cd87894..0000000000 --- a/snap/hooks/post-refresh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -e - -TAG=$SNAP_INSTANCE_NAME.$(basename "$0") - -# Install the Unit of Measure config file when upgrading from an old version -# UoM was added in v2.3.0-dev.45: -# https://github.com/edgexfoundry/edgex-go/pull/4119 -uom="config/core-metadata/res/uom.yaml" -logger --tag $TAG "Installing $SNAP/$uom" -if [ -f "$SNAP/$uom" ]; then - # --no-clobber: copy if missing from target - cp --no-clobber "$SNAP/$uom" "$SNAP_DATA/$uom" -else - logger --stderr --tag $TAG "$SNAP/$uom does not exit." -fi diff --git a/snap/hooks/pre-refresh b/snap/hooks/pre-refresh deleted file mode 100755 index ab42cba6b5..0000000000 --- a/snap/hooks/pre-refresh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -e - -# save these for use in the post-refresh hook -snapctl set pre-refresh.revision=$SNAP_REVISION -snapctl set pre-refresh.version=$SNAP_VERSION - -# unset legacy EdgeX <2.3 options -snapctl unset lastrev release diff --git a/snap/local/helper-go/.gitignore b/snap/local/helper-go/.gitignore deleted file mode 100644 index 502c899c8b..0000000000 --- a/snap/local/helper-go/.gitignore +++ /dev/null @@ -1 +0,0 @@ -helper-go diff --git a/snap/local/helper-go/Makefile b/snap/local/helper-go/Makefile deleted file mode 100644 index 344511f9ea..0000000000 --- a/snap/local/helper-go/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -build: - go build -ldflags="-s -w" -o helper-go - -tidy: - go mod tidy - -clean: - rm -f helper-go diff --git a/snap/local/helper-go/common.go b/snap/local/helper-go/common.go deleted file mode 100644 index 5eb4299ac2..0000000000 --- a/snap/local/helper-go/common.go +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (C) 2022 Canonical Ltd - * Copyright (C) 2023 Intel Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package main - -// snapped apps -const ( - // core services - coreData = "core-data" - coreMetadata = "core-metadata" - coreCommand = "core-command" - consul = "consul" // registry and config provider - redis = "redis" // message bus and database - coreCommonConfigBootstrapper = "core-common-config-bootstrapper" - // support services - supportNotifications = "support-notifications" - supportScheduler = "support-scheduler" - // security apps - nginx = "nginx" // reverse proxy - securitySecretsConfig = "secrets-config" // CLI app - securitySecretStoreSetup = "security-secretstore-setup" - securityProxyAuth = "security-proxy-auth" // auth plugin for nginx - securityBootstrapper = "security-bootstrapper" - securityBootstrapperRedis = "security-bootstrapper-redis" - securityBootstrapperConsul = "security-bootstrapper-consul" - securityBootstrapperNginx = "security-bootstrapper-nginx" - securityFileTokenProvider = "security-file-token-provider" - vault = "vault" // secret store -) - -var ( - securityServices = []string{ - vault, - nginx, - securityProxyAuth, - } - securitySetupServices = []string{ - securitySecretStoreSetup, - securityBootstrapperConsul, - securityBootstrapperNginx, - securityProxyAuth, - securityBootstrapperRedis, - } - coreSetupServices = []string{ - coreCommonConfigBootstrapper, - } - coreServices = []string{ - consul, - redis, - coreData, - coreMetadata, - coreCommand, - } - supportServices = []string{ - supportNotifications, - supportScheduler, - } -) - -func allOneshotServices() (s []string) { - return append(securitySetupServices, coreSetupServices...) -} - -func allServices() (s []string) { - allOneshotServices := allOneshotServices() - s = make([]string, 0, len(coreServices)+len(supportServices)+len(securityServices)+len(allOneshotServices)) - s = append(s, coreServices...) - s = append(s, supportServices...) - s = append(s, securityServices...) - s = append(s, allOneshotServices...) - return s -} diff --git a/snap/local/helper-go/configure.go b/snap/local/helper-go/configure.go deleted file mode 100644 index 1ff8b3bd10..0000000000 --- a/snap/local/helper-go/configure.go +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (C) 2021 Canonical Ltd - * Copyright (C) 2023 Intel Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package main - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/canonical/edgex-snap-hooks/v3/env" - "github.com/canonical/edgex-snap-hooks/v3/log" - opt "github.com/canonical/edgex-snap-hooks/v3/options" - "github.com/canonical/edgex-snap-hooks/v3/snapctl" -) - -// snapService returns the snap service name for the given app as . -func snapService(app string) string { - return env.SnapName + "." + app -} - -// This function creates the redis config dir under $SNAP_DATA, -// and creates an empty redis.conf file. This allows the command -// line for the service to always specify the config file, and -// allows for redis to run when security is disabled -func clearRedisConf() error { - path := filepath.Join(env.SnapData, "/redis/conf/redis.conf") - if err := ioutil.WriteFile(path, nil, 0644); err != nil { - return err - } - return nil -} - -func consulAclFileExists() bool { - path := filepath.Join(env.SnapData, "/consul/config/consul_acl.json") - _, err := os.Stat(path) - return err == nil -} - -// This function deletes the Consul ACL configuration file. This -// allows Consul to operate in insecure mode. -func rmConsulAclFile() error { - path := filepath.Join(env.SnapData, "/consul/config/consul_acl.json") - if err := os.Remove(path); err != nil { - return err - } - return nil -} - -func processSecuritySwitch() error { - edgexSecurity, err := snapctl.Get("security").Run() - if err != nil { - return fmt.Errorf("error reading snap option: %v", err) - } - - switch edgexSecurity { - case "": - // default - security is enabled - case "true": - // manually enabling the disabled switching security - return fmt.Errorf("security is enabled by default. %s", - "Once disabled, it can only be re-enabled by re-installing this snap.") - case "false": - if err := disableSecurityAndStopAll(); err != nil { - return fmt.Errorf("error disabling security: %v", err) - } - default: - return fmt.Errorf("unexpected value for security: %s", edgexSecurity) - } - return nil -} - -func disableSecurityAndStopAll() error { - // If consul_acls.json doesn't exist, then secret-store has already been - // disabled, so just return - if !consulAclFileExists() { - log.Info("Security is already disabled") - return nil - } - - log.Info("!!! DISABLING SECURITY !!!") - - // Stop all - // The non-sec services will be started again by the autostart processor - if err := snapctl.Stop("edgexfoundry").Run(); err != nil { - return fmt.Errorf("error stopping services: %s", err) - } - - // Disable autostart of security services - var autostartKeyValues []string - for _, s := range append(securityServices, securitySetupServices...) { - autostartKeyValues = append(autostartKeyValues, "apps."+s+".autostart", "false") - } - if err := snapctl.Set(autostartKeyValues...).Run(); err != nil { - return fmt.Errorf("error setting snap option: %v", err) - } - - // Disable use of Secret Store for EdgeX services - if err := snapctl.Set("config.edgex-security-secret-store", "false").Run(); err != nil { - return fmt.Errorf("error setting snap option: %v", err) - } - - // Clear redis config - if err := clearRedisConf(); err != nil { - return err - } - // Clear consul ACLs - if err := rmConsulAclFile(); err != nil { - return err - } - - return nil -} - -func configure() { - log.SetComponentName("configure") - log.Debug("Start") - - err := processSecuritySwitch() - if err != nil { - log.Fatalf("Error processing security switch: %v", err) - } - - // Process snap config options - err = opt.ProcessConfig( - coreData, - coreMetadata, - coreCommand, - coreCommonConfigBootstrapper, - supportNotifications, - supportScheduler, - securitySecretStoreSetup, - securityBootstrapper, // local executable - securityBootstrapperNginx, - securityProxyAuth, - ) - if err != nil { - log.Fatalf("Error processing config options: %v", err) - } - - // Process autostart to schedule the services start/stop - // The start/stop operations scheduled here will be performed - // once the configure hook exits without any error. - err = opt.ProcessAutostart(allServices()...) - if err != nil { - log.Fatalf("Error processing autostart options: %v", err) - } - - log.Debug("End") -} diff --git a/snap/local/helper-go/go.mod b/snap/local/helper-go/go.mod deleted file mode 100644 index 3198691ed4..0000000000 --- a/snap/local/helper-go/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module github.com/edgexfoundry/edgex-go/snap/local/helper-go - -go 1.18 - -require github.com/canonical/edgex-snap-hooks/v3 v3.0.0 diff --git a/snap/local/helper-go/go.sum b/snap/local/helper-go/go.sum deleted file mode 100644 index 483308a3ab..0000000000 --- a/snap/local/helper-go/go.sum +++ /dev/null @@ -1,6 +0,0 @@ -github.com/canonical/edgex-snap-hooks/v3 v3.0.0 h1:G2mX0c+QuzOoo3AJMmFFVwnxYBNASiaEaUgJiJ5+/48= -github.com/canonical/edgex-snap-hooks/v3 v3.0.0/go.mod h1:qGZwprCZGZk2pA9BrleUtSrGrfHIaIz1356p8aqzuN4= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= diff --git a/snap/local/helper-go/install.go b/snap/local/helper-go/install.go deleted file mode 100644 index 6e57ff698e..0000000000 --- a/snap/local/helper-go/install.go +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (C) 2021 Canonical Ltd - * Copyright (C) 2023 Intel Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package main - -import ( - "io/ioutil" - "os" - "path/filepath" - "strings" - - hooks "github.com/canonical/edgex-snap-hooks/v3" - "github.com/canonical/edgex-snap-hooks/v3/env" - "github.com/canonical/edgex-snap-hooks/v3/log" - "github.com/canonical/edgex-snap-hooks/v3/snapctl" -) - -// Default value of EDGEX_ADD_SECRETSTORE_TOKENS and EDGEX_ADD_REGISTRY_ACL_ROLES -// The device-rest and device-virtual are already set in /cmd/security-file-token-provider/res/token-config.json -var secretStoreTokens = []string{ - "app-functional-tests", - "app-rules-engine", - "app-http-export", - "app-mqtt-export", - "app-external-mqtt-trigger", - "app-push-to-core", - "app-rfid-llrp-inventory", - "application-service", - "device-mqtt", - "device-modbus", - "device-coap", - "device-snmp", - "device-gpio", - "device-bacnet", - "device-rfid-llrp", - "device-usb-camera", - "device-onvif-camera", - "edgex-ekuiper", -} - -// Default value of EDGEX_ADD_KNOWN_SECRETS -var secretStoreKnownSecrets = []string{ - "redisdb[device-rest]", - "redisdb[device-virtual]", - "redisdb[app-functional-tests]", - "redisdb[app-rules-engine]", - "redisdb[app-http-export]", - "redisdb[app-mqtt-export]", - "redisdb[app-external-mqtt-trigger]", - "redisdb[app-push-to-core]", - "redisdb[app-rfid-llrp-inventory]", - "redisdb[application-service]", - "redisdb[device-mqtt]", - "redisdb[device-modbus]", - "redisdb[device-coap]", - "redisdb[device-snmp]", - "redisdb[device-gpio]", - "redisdb[device-bacnet]", - "redisdb[device-rfid-llrp]", - "redisdb[device-usb-camera]", - "redisdb[device-onvif-camera]", - "redisdb[edgex-ekuiper]", -} - -var ( - snapConf = env.Snap + "/config" - snapDataConf = env.SnapData + "/config" -) - -// installConfFiles copies service configuration files from $SNAP to $SNAP_DATA -func installConfFiles() error { - var err error - - // services w/configuration that needs to be copied - // to $SNAP_DATA - var servicesWithConfig = []string{ - securitySecretsConfig, - securityBootstrapper, - securityBootstrapperRedis, - securityFileTokenProvider, - securityProxyAuth, - securitySecretStoreSetup, - coreCommonConfigBootstrapper, - coreCommand, - coreData, - coreMetadata, - supportNotifications, - supportScheduler, - } - - for _, v := range servicesWithConfig { - destDir := snapDataConf + "/" - srcDir := snapConf + "/" - - // handle exceptions (i.e. config in non-std dirs) - if v == securityBootstrapperRedis { - destDir = destDir + "security-bootstrapper/res-bootstrap-redis" - srcDir = srcDir + "security-bootstrapper/res-bootstrap-redis" - } else { - destDir = destDir + v + "/res" - srcDir = srcDir + v + "/res" - } - - err = hooks.CopyDir(srcDir, destDir) - if err != nil { - return err - } - } - - return nil -} - -func installSecretStore() error { - var err error - - // Set the default value of EDGEX_ADD_SECRETSTORE_TOKENS via snap option - if err = snapctl.Set("apps.security-secretstore-setup.config.edgex-add-secretstore-tokens", - strings.Join(secretStoreTokens, ",")).Run(); err != nil { - return err - } - - // Set the default value of EDGEX_ADD_KNOWN_SECRETS via snap option - if err = snapctl.Set("apps.security-secretstore-setup.config.edgex-add-known-secrets", - strings.Join(secretStoreKnownSecrets, ",")).Run(); err != nil { - return err - } - - if err = os.MkdirAll(env.SnapData+"/secrets", 0700); err != nil { - return err - } - - path := "/security-file-token-provider/res/token-config.json" - if err = hooks.CopyFile(snapConf+path, snapDataConf+path); err != nil { - return err - } - - if err = os.MkdirAll(snapDataConf+"/security-secret-store", 0755); err != nil { - return err - } - - path = "/security-secret-store/vault-config.hcl" - destPath := snapDataConf + path - if err = hooks.CopyFile(snapConf+path, destPath); err != nil { - return err - } - - if err = os.Chmod(destPath, 0644); err != nil { - return err - } - - return nil -} - -func installConsul() error { - var err error - - // Set the default value of EDGEX_ADD_REGISTRY_ACL_ROLES via snap option - // using the same list of services as used in EDGEX_ADD_KNOWN_SECRETS - if err = snapctl.Set("apps.security-bootstrapper.config.edgex-add-registry-acl-roles", - strings.Join(secretStoreTokens, ",")).Run(); err != nil { - return err - } - - if err = os.MkdirAll(env.SnapData+"/consul/data", 0755); err != nil { - return err - } - - if err = hooks.CopyDir(snapConf+"/consul", env.SnapData+"/consul/config"); err != nil { - return err - } - - return nil -} - -// installProxy handles initialization of the API Gateway. -func installProxy() error { - var err error - - if err = os.MkdirAll(env.SnapCommon+"/nginx/logs", 0755); err != nil { - return err - } - - if err = hooks.CopyDir(snapConf+"/nginx", env.SnapData+"/nginx"); err != nil { - return err - } - - return nil -} - -// This function creates the redis config dir under $SNAP_DATA, -// and creates an empty redis.conf file. This allows the command -// line for the service to always specify the config file, and -// allows running redis with or without security config -func installRedis() error { - fileName := filepath.Join(env.SnapData, "/redis/conf/redis.conf") - if _, err := os.Stat(filepath.Join(env.SnapData, "redis")); err != nil { - // dir doesn't exist - if err := os.MkdirAll(filepath.Dir(fileName), 0755); err != nil { - return err - } - if err := ioutil.WriteFile(fileName, nil, 0644); err != nil { - return err - } - } - return nil -} - -func install() { - log.SetComponentName("install") - - var err error - - if err = installConfFiles(); err != nil { - log.Fatalf("Error installing config files: %v", err) - } - - if err = installSecretStore(); err != nil { - log.Fatalf("Error installing secret store: %v", err) - } - - if err = installConsul(); err != nil { - log.Fatalf("Error installing consul: %v", err) - } - - if err = installProxy(); err != nil { - log.Fatalf("Error installing proxy: %v", err) - } - - if err = installRedis(); err != nil { - log.Fatalf("Error installing redis: %v", err) - } - -} diff --git a/snap/local/helper-go/main.go b/snap/local/helper-go/main.go deleted file mode 100644 index 7dee43c25e..0000000000 --- a/snap/local/helper-go/main.go +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (C) 2022 Canonical Ltd - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package main - -import ( - "os" -) - -func main() { - // uncomment to enable snap debugging during development - // snapctl.Set("debug", "true").Run() - - subCommand := os.Args[1] - switch subCommand { - case "install": // snap install hook - install() - case "configure": // snap configure hook - configure() - default: - panic("Unknown subcommand: " + subCommand) - } -} diff --git a/snap/local/runtime-helpers/bin/security-bootstrapper-nginx b/snap/local/runtime-helpers/bin/security-bootstrapper-nginx deleted file mode 100755 index c2aaee225c..0000000000 --- a/snap/local/runtime-helpers/bin/security-bootstrapper-nginx +++ /dev/null @@ -1,259 +0,0 @@ -#!/bin/bash - -keyfile=nginx.key -certfile=nginx.crt - -# Check for default TLS certificate for reverse proxy, create if missing -# Normally we would run the below command in the nginx container itself, -# but nginx:alpine-slim does not container openssl, thus run it here instead. -mkdir -p "${SNAP_DATA}/nginx" -cd "${SNAP_DATA}/nginx" -if test ! -f "${keyfile}" ; then - # (NGINX will restart in a failure loop until a TLS key exists) - # Create default TLS certificate with 1 day expiry -- user must replace in production (do this as nginx user) - openssl req -x509 -nodes -days 1 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -subj '/CN=localhost/O=EdgeX Foundry' -keyout "${keyfile}" -out "${certfile}" -addext "keyUsage = digitalSignature, keyCertSign" -addext "extendedKeyUsage = serverAuth" - echo "Default TLS certificate created. Recommend replace with your own." -fi - - -# -# Import CORS configuration from common config -# - -: ${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS:=`yq -r .all-services.Service.CORSConfiguration.EnableCORS $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS:=`yq -r .all-services.Service.CORSConfiguration.CORSAllowCredentials $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN:=`yq -r .all-services.Service.CORSConfiguration.CORSAllowedOrigin $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDMETHODS:=`yq -r .all-services.Service.CORSConfiguration.CORSAllowedMethods $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDHEADERS:=`yq -r .all-services.Service.CORSConfiguration.CORSAllowedHeaders $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSEXPOSEHEADERS:=`yq -r .all-services.Service.CORSConfiguration.CORSExposeHeaders $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} -: ${EDGEX_SERVICE_CORSCONFIGURATION_CORSMAXAGE:=`yq -r .all-services.Service.CORSConfiguration.CORSMaxAge $SNAP_DATA/config/core-common-config-bootstrapper/res/configuration.yaml`} - -echo "$(date) CORS settings dump ..." -( set | grep EDGEX_SERVICE_CORSCONFIGURATION ) || true - -# See https://github.com/edgexfoundry/edgex-go/issues/4648 as to why CORS is implemented this way. -# Warning: no not simplify add_header redundancy. See https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx -corssnippet=/tmp/cors.block.$$ -touch "${corssnippet}" -if test "${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS}" = "true"; then - echo " if (\$request_method = 'OPTIONS') {" >> "${corssnippet}" - echo " add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}';" >> "${corssnippet}" - echo " add_header 'Access-Control-Allow-Methods' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDMETHODS}';" >> "${corssnippet}" - echo " add_header 'Access-Control-Allow-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDHEADERS}';" >> "${corssnippet}" - if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then - # CORS specificaiton says that if not true, omit the header entirely - echo " add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}" - fi - echo " add_header 'Access-Control-Max-Age' ${EDGEX_SERVICE_CORSCONFIGURATION_CORSMAXAGE};" >> "${corssnippet}" - echo " add_header 'Vary' 'origin';" >> "${corssnippet}" - echo " add_header 'Content-Type' 'text/plain; charset=utf-8';" >> "${corssnippet}" - echo " add_header 'Content-Length' 0;" >> "${corssnippet}" - echo " return 204;" >> "${corssnippet}" - echo " }" >> "${corssnippet}" - echo " if (\$request_method != 'OPTIONS') {" >> "${corssnippet}" - # Always add headers regardless of response code. Omit preflight-related headers (allow-methods, allow-headers, allow-credentials, max-age) - echo " add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}' always;" >> "${corssnippet}" - echo " add_header 'Access-Control-Expose-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSEXPOSEHEADERS}' always;" >> "${corssnippet}" - if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then - # CORS specificaiton says that if not true, omit the header entirely - echo " add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}" - fi - echo " add_header 'Vary' 'origin' always;" >> "${corssnippet}" - echo " }" >> "${corssnippet}" - echo "" >> "${corssnippet}" -fi - -# -# Generate NGINX configuration based on EDGEX_ADD_PROXY_ROUTE and standard settings -# - -echo "$(date) Generating default NGINX config ..." - -IFS=', ' -for service in ${EDGEX_ADD_PROXY_ROUTE}; do - prefix=$(echo -n "${service}" | sed -n -e 's/\([-0-9a-zA-Z]*\)\..*/\1/p') - host=$(echo -n "${service}" | sed -n -e 's/.*\/\/\([-0-9a-zA-Z]*\):.*/\1/p') - port=$(echo -n "${service}" | sed -n -e 's/.*:\(\d*\)/\1/p') - varname=$(echo -n "${prefix}" | tr '-' '_') - echo $service $prefix $host $port - cat <> "${SNAP_DATA}/nginx/conf.d/generated-routes.inc" - -set \$upstream_$varname $host; -location /$prefix { -`cat "${corssnippet}"` - rewrite /$prefix/(.*) /\$1 break; - resolver 127.0.0.11 valid=30s; - proxy_pass http://\$upstream_$varname:$port; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; -} -EOH - -done -unset IFS - - -# This file can be modified by the user; deleted when docker volumes are pruned; -# but preserved across start/up and stop/down actions -if test -f "${SNAP_DATA}/nginx/conf.d/edgex-custom-rewrites.inc"; then - echo "Using existing custom-rewrites." -else - cat <<'EOH' > "${SNAP_DATA}/nginx/conf.d/edgex-custom-rewrites.inc" -# Add custom location directives to this file, for example: - -# set $upstream_device_virtual edgex-device-virtual; -# location /device-virtual { -# rewrite /device-virtual/(.*) /$1 break; -# resolver 127.0.0.11 valid=30s; -# proxy_pass http://$upstream_device_virtual:59900; -# proxy_redirect off; -# proxy_set_header Host $host; -# auth_request /auth; -# auth_request_set $auth_status $upstream_status; -# } -EOH -fi - -cat < "${SNAP_DATA}/nginx/conf.d/edgex-default.conf" -# -# Copyright (C) Intel Corporation 2023 -# SPDX-License-Identifier: Apache-2.0 -# - -# generated 2023-01-19, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, modern configuration, no HSTS, no OCSP -# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6 -server { - listen 127.0.0.1:8000; # Snap listen insecure on localhost only - listen 8443 ssl; - - ssl_certificate "/var/snap/edgexfoundry/current/nginx/nginx.crt"; - ssl_certificate_key "/var/snap/edgexfoundry/current/nginx/nginx.key"; - ssl_session_tickets off; - - access_log syslog:server=unix:/dev/log,tag=edgexfoundry; - - # Subrequest authentication - - location /auth { - internal; - proxy_pass http://127.0.0.1:59842; - proxy_redirect off; - proxy_set_header Host \$host; - proxy_set_header Content-Length ""; - proxy_set_header X-Forwarded-URI \$request_uri; - proxy_pass_request_body off; - } - - # Rewriting rules (customized for snaps) - - location /core-data { - `cat "${corssnippet}"` - rewrite /core-data/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59880; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - - location /core-metadata { - `cat "${corssnippet}"` - rewrite /core-metadata/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59881; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - - location /core-command { - `cat "${corssnippet}"` - rewrite /core-command/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59882; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - - location /support-notifications { - `cat "${corssnippet}"` - rewrite /support-notifications/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59860; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - - location /support-scheduler { - `cat "${corssnippet}"` - rewrite /support-scheduler/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59861; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - location /app-rules-engine { - `cat "${corssnippet}"` - rewrite /app-rules-engine/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59701; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - location /rules-engine { - `cat "${corssnippet}"` - rewrite /rules-engine/(.*) /\$1 break; - proxy_pass http://127.0.0.1:59720; - proxy_redirect off; - proxy_set_header Host \$host; - auth_request /auth; - auth_request_set \$auth_status \$upstream_status; - } - - # Note: Consul implements its own authentication mechanism (only allow API, /v1, through) - location /consul/v1 { - `cat "${corssnippet}"` - rewrite /consul/(.*) /\$1 break; - proxy_pass http://127.0.0.1:8500; - proxy_redirect off; - proxy_set_header Host \$host; - } - - # Note: Vault login API does not require authentication at the gateway for obvious reasons - # Expose URLs to log in to vault and to get a JWT - location /vault/v1/auth/userpass/login { - `cat "${corssnippet}"` - rewrite /vault/(.*) /\$1 break; - proxy_pass http://127.0.0.1:8200; - proxy_redirect off; - proxy_set_header Host \$host; - } - location /vault/v1/identity/oidc/token { - `cat "${corssnippet}"` - rewrite /vault/(.*) /\$1 break; - proxy_pass http://127.0.0.1:8200; - proxy_redirect off; - proxy_set_header Host \$host; - } - - include /var/snap/edgexfoundry/current/nginx/conf.d/edgex-custom-rewrites.inc; - -} - -# Don't output NGINX version in Server: header -server_tokens off; -EOH - -rm -f "${corssnippet}" diff --git a/snap/local/runtime-helpers/bin/security-secretstore-post-setup.sh b/snap/local/runtime-helpers/bin/security-secretstore-post-setup.sh deleted file mode 100755 index 431cffa04d..0000000000 --- a/snap/local/runtime-helpers/bin/security-secretstore-post-setup.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash -e - -# This script is called as a post-stop-command when -# security-secretstore-setup oneshot service stops. -# -# In addition, it may be called by connect-plug-edgex-secretstore-token hook -# before or after security-secretstore-setup. For details, refer to the -# respective hook script. - -# The caller is either post-stop-command from snapcraft.yaml (default) -# or the connect-plug-edgex-secretstore-token hook. -# It is only for logging purposes -caller=${1:-"post-stop-command"} -logger "edgex-secretstore:post-setup: started by $caller" - -# create the directory which consumers bind-mount into -mkdir -p $SNAP_DATA/mount/secrets - -# Each directory corresponds to an external device/app service that is connected -# to the edgex-secretstore-token plug -for fpath in $SNAP_DATA/mount/secrets/*; do - # verify that this is a directory - [ -d "$fpath" ] || continue - - # service name must be the same as the directory name - fname=$(basename "$fpath") - # path to where the token for this service is generated - TOKEN=$SNAP_DATA/secrets/$fname/secrets-token.json - # bind mount target directory path for the copy incl. trailing slash - SECRETS_MOUNT_DIR=$SNAP_DATA/mount/secrets/$fname/ - - if [ -f "$TOKEN" ]; then - logger "edgex-secretstore:post-setup: copying $TOKEN to $SECRETS_MOUNT_DIR" - cp -vr $TOKEN $SECRETS_MOUNT_DIR - else - # This is logged for interfaces that are auto-connected before the - # security-secretstore-setup runs for the first time, because tokens - # are not yet available. - # - # It is an error if security-secretstore-setup has already run but - # the expected token wasn't generated due to an internal error. - # - # It is also an error if the consumer is connecting to receive a token - # that hasn't been generated per configuration. - # - # Regardless of the error cases, this should not be raised to an error - # and exit with non-zero code because it prevents the installation of - # this snap (auto-connection error) for cases that are beyond the - # control of this snap. - logger "edgex-secretstore:post-setup: could not find token for $fname" - fi -done diff --git a/snap/local/runtime-helpers/bin/setup-consul-acl.sh b/snap/local/runtime-helpers/bin/setup-consul-acl.sh deleted file mode 100755 index 30ab96ca24..0000000000 --- a/snap/local/runtime-helpers/bin/setup-consul-acl.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# note: -e flag is not used in this one-shot service -# we don't want to exit out the whole Consul process when ACL bootstrapping failed, just that -# Consul won't have ACL to be used - -# setup Consul's ACL via security-bootstrapper's subcommand -"$SNAP"/bin/security-bootstrapper -configDir "$SNAP_DATA"/config/security-bootstrapper/res setupRegistryACL -setupACL_code=$? -if [ "${setupACL_code}" -ne 0 ]; then - echo "$(date) failed to set up Consul ACL" -fi diff --git a/snap/local/runtime-helpers/bin/setup-redis-acl.sh b/snap/local/runtime-helpers/bin/setup-redis-acl.sh deleted file mode 100755 index 706b493d0b..0000000000 --- a/snap/local/runtime-helpers/bin/setup-redis-acl.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -DBFILE="$DATABASECONFIG_PATH/$DATABASECONFIG_NAME" - -logger "setup-redis-acl: redis config file:: $DBFILE" - -# setup Consul's ACL via security-bootstrapper's subcommand -"$SNAP"/bin/security-bootstrapper -configDir "$SNAP_DATA"/config/security-bootstrapper/res-bootstrap-redis configureRedis -setupACL_code="$?" -if [ "${setupACL_code}" -ne 0 ]; then - logger "$(date) failed to set up Redis ACL" -fi - -# The redis configuration file contains a path to the ACL -# file found in the same directory. This path is generated -# by security-bootstrapper using $SNAP_DATA, and thus ends -# up with a hard-coded revision which will cause a refresh -# to fail. This sed statement replaces the revision in the -# path with the string 'current'. -if [ -f "$DBFILE" ]; then - logger "setup-redis-acl: updating ACL path with 'current' symlink" - sed -i -e "s@foundry\/.*\/redis@foundry\/current\/redis@" "$DBFILE" -fi - diff --git a/snap/local/runtime-helpers/bin/source-env-file.sh b/snap/local/runtime-helpers/bin/source-env-file.sh deleted file mode 100755 index 1a9a203cb2..0000000000 --- a/snap/local/runtime-helpers/bin/source-env-file.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -e - -# convert cmdline to string array -ARGV=($@) - -# grab binary path -BINPATH="${ARGV[0]}" - -# binary name == service name/key -SERVICE=$(basename "$BINPATH") -if [ -z $ENV_FILE ]; then - ENV_FILE="$SNAP_DATA/config/$SERVICE/overrides.env" -fi -TAG="edgex-$SERVICE."$(basename "$0") - -if [ -f "$ENV_FILE" ]; then - logger --tag=$TAG "sourcing $ENV_FILE" - set -o allexport - source "$ENV_FILE" set - set +o allexport -else - logger --tag=$TAG --stderr "sourcing $ENV_FILE: not found!" -fi - -exec "$@" - diff --git a/snap/local/runtime-helpers/config/consul/consul_acl.json b/snap/local/runtime-helpers/config/consul/consul_acl.json deleted file mode 100644 index 8f740bf176..0000000000 --- a/snap/local/runtime-helpers/config/consul/consul_acl.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "acl": { - "enabled": true, - "default_policy": "deny", - "enable_token_persistence": true - } -} diff --git a/snap/local/runtime-helpers/config/consul/consul_default.json b/snap/local/runtime-helpers/config/consul/consul_default.json deleted file mode 100644 index 73df72dae3..0000000000 --- a/snap/local/runtime-helpers/config/consul/consul_default.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "node_name": "edgex-core-consul", - "enable_local_script_checks": true, - "disable_update_check": true, - "ports": { - "dns": -1 - } -} diff --git a/snap/local/runtime-helpers/config/nginx/conf.d/edgex-custom-rewrites.inc b/snap/local/runtime-helpers/config/nginx/conf.d/edgex-custom-rewrites.inc deleted file mode 100644 index 93afd7682a..0000000000 --- a/snap/local/runtime-helpers/config/nginx/conf.d/edgex-custom-rewrites.inc +++ /dev/null @@ -1,10 +0,0 @@ -# Add custom location directives to this file, for example: - -location /device-virtual { - rewrite /device-virtual/(.*) /$1 break; - proxy_pass http://127.0.0.1:59900; - proxy_redirect off; - proxy_set_header Host $host; - auth_request /auth; - auth_request_set $auth_status $upstream_status; -} diff --git a/snap/local/runtime-helpers/config/nginx/nginx.conf b/snap/local/runtime-helpers/config/nginx/nginx.conf deleted file mode 100644 index e6562bc022..0000000000 --- a/snap/local/runtime-helpers/config/nginx/nginx.conf +++ /dev/null @@ -1,57 +0,0 @@ -user root; -daemon off; -worker_processes 1; - -error_log stderr info; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /snap/edgexfoundry/current/usr/nginx/conf/mime.types; - - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - ## - # Gzip Settings - ## - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /var/snap/edgexfoundry/current/nginx/conf.d/*.conf; -} diff --git a/snap/local/runtime-helpers/config/security-secret-store/vault-config.hcl b/snap/local/runtime-helpers/config/security-secret-store/vault-config.hcl deleted file mode 100644 index 51124a7175..0000000000 --- a/snap/local/runtime-helpers/config/security-secret-store/vault-config.hcl +++ /dev/null @@ -1,23 +0,0 @@ -# TODO: Ireland -# -# We should explore a better way to handle this file. -# As there isn't a default upstream vault config file -# that can be modified, we use this file for the snap, -# and for docker deployment, this file is generated by -# the script cmd/security-secret-setup/start_vault.sh. -# -# The only differences between this file and the file -# generated by the above script is that localhost is -# instead of docker hostnames. - -listener "tcp" { - address = "localhost:8200" - tls_disable = "1" -} - -backend "file" { - path = "vault/file" -} - -default_lease_ttl = "168h" -max_lease_ttl = "720h" diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml deleted file mode 100644 index 48c855e446..0000000000 --- a/snap/snapcraft.yaml +++ /dev/null @@ -1,488 +0,0 @@ -name: edgexfoundry -base: core22 -summary: EdgeX core, security, and supporting components -description: Refer to https://snapcraft.io/edgexfoundry -adopt-info: edgex-go - -# Different epochs prevent refreshes between major versions of EdgeX due -# to continued configuration changes. -# -# delhi: 0, edinburgh: 1, fuji: 2, geneva: 3, hanoi: 4 -# ireland/jakarta: 5, kamakura/levski:6, minnesota: 7 -epoch: 7 - -architectures: - - build-on: arm64 - - build-on: amd64 - -plugs: - # This content interface provides a mechanism for the edgexfoundry - # snap to shared vault secret tokens in order for services in external - # edgex snap to access the secret-store. Note, in this case this snap - # defines a plug instead of slot to allow the consuming snap to create - # the service-specific directory under $SNAP_DATA/secrets. - edgex-secretstore-token: - interface: content - content: edgex-secretstore-token - target: $SNAP_DATA/mount/secrets - -layout: - /usr/local: - bind: $SNAP/usr/local - /usr/nginx: - bind: $SNAP_COMMON/nginx - -grade: stable -confinement: strict - -apps: - consul: - command: bin/consul agent -data-dir $SNAP_DATA/consul/data -config-dir $SNAP_DATA/consul/config -server -bind 127.0.0.1 -bootstrap -ui - daemon: simple - install-mode: disable - plugs: [network, network-bind] - consul-cli: - command: bin/consul - plugs: [network, network-bind] - redis: - after: [security-bootstrapper-redis] - command: bin/redis-server $CONFIG_FILE $DIR_ARG $SAVE_ARG $BIND_ARG - environment: - DIR_ARG: --dir $SNAP_DATA/redis - SAVE_ARG: --save 900 1 --save 300 10 - BIND_ARG: --bind 127.0.0.1 - CONFIG_FILE: $SNAP_DATA/redis/conf/redis.conf - daemon: simple - install-mode: disable - plugs: [network, network-bind] - redis-cli: - command: bin/redis-cli - plugs: [home, removable-media, network] - vault: - command: bin/vault server --config $VAULT_CONFIG - daemon: simple - install-mode: disable - environment: - VAULT_CONFIG: "$SNAP_DATA/config/security-secret-store/vault-config.hcl" - VAULT_ADDR: "http://localhost:8200" - plugs: - - network - - network-bind - vault-cli: - command: bin/vault - environment: - VAULT_CONFIG: "$SNAP_DATA/config/security-secret-store/vault-config.hcl" - VAULT_ADDR: "http://localhost:8200" - plugs: - - network - - network-bind - security-secretstore-setup: - after: [vault] - command: bin/security-secretstore-setup --configDir $SNAP_DATA/config/security-secretstore-setup/res $VAULT_INTERVAL - command-chain: - - bin/source-env-file.sh - post-stop-command: bin/security-secretstore-post-setup.sh - daemon: oneshot - install-mode: disable - environment: - VAULT_INTERVAL: "--vaultInterval=10" - SECRETSTORE_HOST: localhost - # environment vars for security-secretstore-setup (aka vault-worker) - SECRETSTORE_TOKENFOLDERPATH: $SNAP_DATA/config/security-secretstore-setup/res - SECRETSTORE_TOKENPROVIDER: $SNAP/bin/security-file-token-provider - SECRETSTORE_TOKENPROVIDERARGS: "-configDir, $SNAP_DATA/config/security-file-token-provider/res" - SECRETSTORE_TOKENPROVIDERADMINTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json - # registry consul ACL related environment variables: - SECRETSTORE_CONSULSECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json - - # environment for security-file-token-provider, exec'd by secretstore-setup - TOKENFILEPROVIDER_PRIVILEGEDTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json - TOKENFILEPROVIDER_CONFIGFILE: $SNAP_DATA/config/security-file-token-provider/res/token-config.json - TOKENFILEPROVIDER_OUTPUTDIR: $SNAP_DATA/secrets - - start-timeout: 15m - plugs: [network] - security-proxy-auth: - after: - - security-secretstore-setup - - consul - command: bin/security-proxy-auth --configDir $SNAP_DATA/config/security-proxy-auth/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/security-proxy-auth/secrets-token.json - daemon: simple - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s - # This is a simple one-shot service that creates a default TLS key and certificate for NGINX - security-bootstrapper-nginx: - after: - - security-secretstore-setup - command: bin/security-bootstrapper-nginx - command-chain: - - bin/source-env-file.sh - daemon: oneshot - install-mode: disable - # This is a simple service which calls into vault to retrieve the Redis password and then - # to generate Redis config file for Redis server to start up with credentials and ACL rules. - # Redis can be started once the confFile is created. Once the config file has been generated, - # this service exits. In the Docker version, the customized redis' entrypoint.sh performs - # the similar actions as described above. - security-bootstrapper-redis: - after: - - security-secretstore-setup - command: bin/setup-redis-acl.sh - command-chain: - - bin/source-env-file.sh - environment: - ENV_FILE: $SNAP_DATA/config/security-bootstrapper/overrides.env - SECRETSTORE_SERVERNAME: localhost - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/security-bootstrapper-redis/secrets-token.json - DATABASECONFIG_PATH: $SNAP_DATA/redis/conf - DATABASECONFIG_NAME: redis.conf - daemon: oneshot - install-mode: disable - plugs: [network] - # This is a one-shot service which sets up consul's ACL and prepare for creating consul's agent tokens later on - security-bootstrapper-consul: - after: - - security-secretstore-setup - command: bin/setup-consul-acl.sh - command-chain: - - bin/source-env-file.sh - environment: - ENV_FILE: $SNAP_DATA/config/security-bootstrapper/overrides.env - STAGEGATE_REGISTRY_HOST: localhost - STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: $SNAP_DATA/secrets/consul-acl-token/bootstrap_token.json - STAGEGATE_REGISTRY_ACL_MANAGEMENTTOKENPATH: $SNAP_DATA/secrets/consul-acl-token/mgmt_token.json - STAGEGATE_REGISTRY_ACL_SECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json - STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: $SNAP_DATA/consul/config/consul_acl_done - daemon: oneshot - install-mode: disable - plugs: [network] - core-data: - after: - - security-bootstrapper-redis - - core-common-config-bootstrapper - # This generates the consul role for this service before the service starts - - security-bootstrapper-consul - command: bin/core-data --configDir $SNAP_DATA/config/core-data/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/core-data/secrets-token.json - daemon: simple - install-mode: disable - plugs: [network, network-bind] - # for now, specify a shorter stop-timeout until services learn how - # to handle SIGTERM properly with as per - # https://github.com/edgexfoundry/edgex-go/issues/1306 - stop-timeout: 10s - core-metadata: - after: - - security-bootstrapper-redis - - core-common-config-bootstrapper - # This generates the consul role for this service before the service starts - - security-bootstrapper-consul - command: bin/core-metadata --configDir $SNAP_DATA/config/core-metadata/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/core-metadata/secrets-token.json - UOM_UOMFILE: $SNAP_DATA/config/core-metadata/res/uom.yaml - daemon: simple - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s - core-command: - after: - - security-bootstrapper-redis - - core-common-config-bootstrapper - # This generates the consul role for this service before the service starts - - security-bootstrapper-consul - command: bin/core-command --configDir $SNAP_DATA/config/core-command/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/core-command/secrets-token.json - daemon: simple - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s - support-notifications: - after: - - security-bootstrapper-redis - - core-common-config-bootstrapper - # This generates the consul role for this service before the service starts - - security-bootstrapper-consul - command: bin/support-notifications --configDir $SNAP_DATA/config/support-notifications/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/support-notifications/secrets-token.json - daemon: simple - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s - support-scheduler: - after: - - security-bootstrapper-redis - - core-common-config-bootstrapper - # This generates the consul role for this service before the service starts - - security-bootstrapper-consul - command: bin/support-scheduler --configDir $SNAP_DATA/config/support-scheduler/res --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/support-scheduler/secrets-token.json - daemon: simple - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s - nginx: - after: - - security-bootstrapper-nginx - command: usr/nginx/sbin/nginx -e stderr -p $SNAP_COMMON/nginx -c $SNAP_DATA/nginx/nginx.conf - reload-command: usr/nginx/sbin/nginx -e stderr -p $SNAP_COMMON/nginx -c $SNAP_DATA/nginx/nginx.conf -s reload - stop-command: usr/nginx/sbin/nginx -e stderr -p $SNAP_COMMON/nginx -c $SNAP_DATA/nginx/nginx.conf -s quit - daemon: simple - command-chain: - - bin/source-env-file.sh - install-mode: disable - plugs: [network, network-bind] - stop-timeout: 10s -# this service pushes common configuration source into Configuration Provider - core-common-config-bootstrapper: - after: - - security-bootstrapper-consul - command: bin/core-common-config-bootstrapper --configDir $SNAP_DATA/config/core-common-config-bootstrapper/res --configFile configuration.yaml --configProvider --registry - command-chain: - - bin/source-env-file.sh - environment: - SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/core-common-config-bootstrapper/secrets-token.json - daemon: oneshot - install-mode: disable - plugs: [network] - # helper commands the snap exposes - secrets-config: - command: bin/secrets-config --configDir $SNAP_DATA/config/secrets-config/res - environment: - SECRETSTORE_TOKENFOLDERPATH: $SNAP_DATA/config/security-secretstore-setup/res/ - SECRETSTORE_TOKENFILE: resp-init.json - plugs: [home, removable-media, network] - -parts: - # For inspiration see - # - https://github.com/ogra1/nginx-snap - # - https://github.com/kbavishi/nginx-snapcraft - # - https://github.com/mbd98/nginx-snap - # We enable SSL and reverse proxy and compression and disable almost everything else - nginx: - source: https://github.com/nginx/nginx.git - # Use branch instead of tag to limit the git cloning depth - source-branch: release-1.24.0 - source-depth: 1 - plugin: autotools - autotools-configure-parameters: - - --prefix=/usr/nginx - - --user=root - - --group=root - - --with-select_module - - --with-poll_module - - --with-http_ssl_module - - --with-http_auth_request_module - - --with-stream - - --with-stream_ssl_module - - --without-http_charset_module - - --without-http_ssi_module - - --without-http_userid_module - - --without-http_access_module - - --without-http_auth_basic_module - - --without-http_mirror_module - - --without-http_autoindex_module - - --without-http_geo_module - - --without-http_map_module - - --without-http_split_clients_module - - --without-http_referer_module - - --without-http_fastcgi_module - - --without-http_uwsgi_module - - --without-http_scgi_module - - --without-http_grpc_module - - --without-http_memcached_module - - --without-http_limit_conn_module - - --without-http_limit_req_module - - --without-http_empty_gif_module - - --without-http_browser_module - - --without-http_upstream_hash_module - - --without-http_upstream_ip_hash_module - - --without-http_upstream_least_conn_module - - --without-http_upstream_random_module - - --without-http_upstream_keepalive_module - - --without-http_upstream_zone_module - - --without-http-cache - - --without-mail_pop3_module - - --without-mail_imap_module - - --without-mail_smtp_module - - --without-stream_limit_conn_module - - --without-stream_access_module - - --without-stream_geo_module - - --without-stream_map_module - - --without-stream_split_clients_module - - --without-stream_return_module - - --without-stream_set_module - - --without-stream_upstream_hash_module - - --without-stream_upstream_least_conn_module - - --without-stream_upstream_random_module - - --without-stream_upstream_zone_module - build-packages: - - build-essential - - libpcre3-dev - - libssl-dev - - zlib1g-dev - override-build: | - cp auto/configure . - craftctl default - stage-packages: - - libssl-dev - - zlib1g - stage-snaps: - - yq - stage: - - -usr/nginx/conf/nginx.conf - - runtime-helpers: - plugin: dump - source: snap/local/runtime-helpers - - helper-go: - source: snap/local/helper-go - plugin: make - build-snaps: - - go/1.20/stable - override-build: | - cd $CRAFT_PART_SRC - make build - install -DT ./helper-go $CRAFT_PART_INSTALL/bin/helper-go - - consul: - plugin: nil - build-packages: - - curl - - unzip - override-build: | - VERSION=1.15.2 - - ARCH=$(dpkg --print-architecture) - FILE_NAME=consul_${VERSION}_linux_$ARCH.zip - - # NOTE: the archive only includes the binary distribution, with no config or license files - curl --silent --show-error --location --output $FILE_NAME \ - https://releases.hashicorp.com/consul/${VERSION}/$FILE_NAME - - unzip $FILE_NAME -d $CRAFT_PART_INSTALL - organize: - consul: bin/consul - - redis: - source: https://github.com/redis/redis.git - source-tag: "6.2.12" - source-depth: 1 - plugin: make - make-parameters: - - "PREFIX=$CRAFT_PART_INSTALL/" - - edgex-go: - source: . - plugin: make - build-snaps: - - go/1.20/stable - override-build: | - cd $CRAFT_PART_SRC - - if git describe ; then - VERSION=$(git describe --tags --abbrev=0 | sed 's/v//') - else - VERSION="0.0.0" - fi - - # set the version of the snap - craftctl set version=$VERSION - - # write version to file for the build - echo $VERSION > VERSION - - [ ! -d "vendor" ] && go mod download all || echo "skipping..." - - make build - - # copy service binaries, configuration, and license files into the snap install - for service in core-command core-data core-metadata support-notifications support-scheduler \ - security-proxy-auth security-secretstore-setup security-file-token-provider \ - security-bootstrapper secrets-config core-common-config-bootstrapper; do - - install -DT "./cmd/$service/$service" "$CRAFT_PART_INSTALL/bin/$service" - - case "$service" in - "core-metadata") - install -DT "./cmd/core-metadata/res/configuration.yaml" "$CRAFT_PART_INSTALL/config/core-metadata/res/configuration.yaml" - install -DT "./cmd/core-metadata/res/uom.yaml" "$CRAFT_PART_INSTALL/config/core-metadata/res/uom.yaml" - ;; - "core-common-config-bootstrapper") - install -DT "./cmd/core-common-config-bootstrapper/res/configuration.yaml" \ - "$CRAFT_PART_INSTALL/config/core-common-config-bootstrapper/res/configuration.yaml" - ;; - "security-file-token-provider") - install -DT "./cmd/security-secretstore-setup/res-file-token-provider/configuration.yaml" \ - "$CRAFT_PART_INSTALL/config/security-file-token-provider/res/configuration.yaml" - ;; - # For security bootstrapping Redis, we only need the configuration file used for "configureRedis" - # as part of the whole "security-bootstrapper". - # For security bootstrapping Consul (aka consul-bootstrapper), we then need the security-bootstrapper's - # yaml file and thus here we install both files. - "security-bootstrapper") - install -DT "./cmd/security-bootstrapper/res-bootstrap-redis/configuration.yaml" \ - "$CRAFT_PART_INSTALL/config/security-bootstrapper/res-bootstrap-redis/configuration.yaml" - install -DT "./cmd/security-bootstrapper/res/configuration.yaml" \ - "$CRAFT_PART_INSTALL/config/security-bootstrapper/res/configuration.yaml" - ;; - # The security-secrets-config doesn't have a default configuration.yaml, but since it shares - # the same config as proxy-setup, just use that one. - "secrets-config") - install -DT "./cmd/secrets-config/res/configuration.yaml" \ - "$CRAFT_PART_INSTALL/config/secrets-config/res/configuration.yaml" - ;; - *) - install -DT "./cmd/$service/res/configuration.yaml" "$CRAFT_PART_INSTALL/config/$service/res/configuration.yaml" - esac - - done - - install -DT "./Attribution.txt" "$CRAFT_PART_INSTALL/usr/share/doc/github.com/edgexfoundry/Attribution.txt" - install -DT "./LICENSE" "$CRAFT_PART_INSTALL/usr/share/doc/github.com/edgexfoundry/LICENSE" - - # install the json config files for security-file-token-provider - # - # note that the file contents are processed using the real - # value of $SNAP_DATA using jq in the install hook - cp "./cmd/security-file-token-provider/res/token-config.json" \ - "$CRAFT_PART_INSTALL/config/security-file-token-provider/res/token-config.json" - - vault: - plugin: nil - build-packages: - - curl - - unzip - override-build: | - VERSION=1.11.3 - - ARCH=$(dpkg --print-architecture) - FILE_NAME=vault_${VERSION}_linux_$ARCH.zip - - # NOTE: the archive only includes the binary distribution, with no config or license files - curl --silent --show-error --location --output $FILE_NAME \ - https://releases.hashicorp.com/vault/$VERSION/$FILE_NAME - - unzip $FILE_NAME -d $CRAFT_PART_INSTALL - organize: - vault: bin/vault