diff --git a/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml b/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml index 938c73d03d..3b83f25a30 100644 --- a/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml +++ b/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml @@ -6,7 +6,7 @@ Protocol = "http" Server = "edgex-vault" ServerName = "" Port = 8200 -CaFilePath = '' +CaFilePath = "" [TokenFileProvider] PrivilegedTokenPath = "/run/edgex/secrets/tokenprovider/secrets-token.json" diff --git a/cmd/security-secretstore-setup/res/configuration.toml b/cmd/security-secretstore-setup/res/configuration.toml index 9520c11df4..0aedc4e455 100644 --- a/cmd/security-secretstore-setup/res/configuration.toml +++ b/cmd/security-secretstore-setup/res/configuration.toml @@ -23,10 +23,10 @@ LogLevel = 'DEBUG' Protocol = "http" Server = "edgex-vault" Port = 8200 -CertPath = "v1/secret/edgex/edgex-security-proxy-setup/kong-tls" +CertPath = "" CaFilePath = "" -CertFilePath = "/tmp/edgex/secrets/edgex-kong/server.crt" -KeyFilePath = "/tmp/edgex/secrets/edgex-kong/server.key" +CertFilePath = "" +KeyFilePath = "" TokenFolderPath = "/vault/config/assets" TokenFile = "resp-init.json" VaultSecretShares = 5 diff --git a/internal/security/secretstore/init.go b/internal/security/secretstore/init.go index a564c55b3b..88293e7796 100644 --- a/internal/security/secretstore/init.go +++ b/internal/security/secretstore/init.go @@ -24,6 +24,7 @@ import ( "net/http" "os" "path/filepath" + "strings" "sync" "time" @@ -340,36 +341,52 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s os.Exit(1) } - cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc) - existing, err := cert.AlreadyinStore() - if err != nil { - lc.Error(err.Error()) - os.Exit(1) - } + // Concat all cert path config vals together to check for empty vals + certPathCheck := configuration.SecretService.CertPath + + configuration.SecretService.CertFilePath + + configuration.SecretService.KeyFilePath - if existing == true { - lc.Info("proxy certificate pair are in the secret store already, skip uploading") - return false - } + // If any of the previous three proxy cert path values are present (len > 0), attempt to upload to secret store + if len(strings.TrimSpace(certPathCheck)) != 0 { - lc.Info("proxy certificate pair are not in the secret store yet, uploading them") - cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath) - if err != nil { - lc.Error("failed to get certificate pair from volume") - os.Exit(1) - } + // Grab the certificate & check to see if it's already in the secret store + cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc) + existing, err := cert.AlreadyinStore() + if err != nil { + lc.Error(err.Error()) + os.Exit(1) + } - lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store") + if existing { + lc.Info("proxy certificate pair are in the secret store already, skip uploading") + return false + } - err = cert.UploadToStore(cp) - if err != nil { - lc.Error("failed to upload the proxy cert pair into the secret store") - lc.Error(err.Error()) - os.Exit(1) + lc.Info("proxy certificate pair are not in the secret store yet, uploading them") + cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath) + if err != nil { + lc.Error("failed to get certificate pair from volume") + os.Exit(1) + } + + lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store") + + err = cert.UploadToStore(cp) + if err != nil { + lc.Error("failed to upload the proxy cert pair into the secret store") + lc.Error(err.Error()) + os.Exit(1) + } + + lc.Info("proxy certificate pair are uploaded to secret store successfully") + + } else { + lc.Info("proxy certificate pair upload was skipped because cert config value(s) were blank") } - lc.Info("proxy certificate pair are uploaded to secret store successfully, Vault init done successfully") + lc.Info("Vault init done successfully") return false + } // XXX Collapse addServiceCredential and addDBCredential together by passing in the path or using