build(snap): Add implementation for set up Consul ACL (#3223)

- Add token for consul secret engine in snap - Add env. for ACL enable: ENABLE_REGISTRY_ACL: true - Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH - Add logic for copying the needed configuration toml from security-bootstrapper - Add consul-bootstrapper one-shot service for setting up Consul's ACL - Add feature flag logic in start_consul.sh shell script - Add env. overrides for consul-bootstrapper - Make consul-bootstrapper use shell script as command to run setupRegistryACL Closes: #3222 Signed-off-by: Jim Wang <[email protected]>
edgexfoundry · Mar 22, 2021 · eeaee6b · eeaee6b
1 parent be0d14e
commit eeaee6b
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 12 deletions.
diff --git a/snap/hooks/install b/snap/hooks/install
@@ -14,14 +14,16 @@ for service in security-file-token-provider security-proxy-setup security-secret
     if [ ! -f "$SNAP_DATA/config/$service/res/configuration.toml" ]; then
         mkdir -p "$SNAP_DATA/config/$service/res"
 
-        # for security-bootstrapper, we only need the configureRedis subcommand portion and associated 
+        # for security-bootstrapper, we have two different configuration toml, one for bootstrap-redis and one for security-bootstrapper itself
+        # the bootstrap-redis run the configureRedis subcommand portion and associated
         # configuration.toml file
+        # the bootstrap-consul or consul-bootstrapper runs the setupRegistryACL subcommand portion and associated configuration.toml file
         if [ "$service" == "security-bootstrapper" ]; then
+            mkdir -p "$SNAP_DATA/config/$service/res-bootstrap-redis"
             cp "$SNAP/config/$service/res-bootstrap-redis/configuration.toml" \
-                "$SNAP_DATA/config/$service/res/configuration.toml"
-        else
-            cp "$SNAP/config/$service/res/configuration.toml" "$SNAP_DATA/config/$service/res/configuration.toml"
+                "$SNAP_DATA/config/$service/res-bootstrap-redis/configuration.toml"
         fi
+        cp "$SNAP/config/$service/res/configuration.toml" "$SNAP_DATA/config/$service/res/configuration.toml"
 
         # replace $SNAP, $SNAP_DATA, $SNAP_COMMON env vars for file-token-provider,
         # as it doesn't support env var overrides

diff --git a/snap/local/runtime-helpers/bin/setup-consul-acl.sh b/snap/local/runtime-helpers/bin/setup-consul-acl.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# note: -e flag is not used in this one-shot service
+# we don't want to exit out the whole Consul process when ACL bootstrapping failed, just that
+# Consul won't have ACL to be used
+
+echo "$(date) in setup-consul-acl.sh: ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"
+
+if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
+    # setup Consul's ACL via security-bootstrapper's subcommand
+    "$SNAP"/bin/security-bootstrapper -confdir "$SNAP_DATA"/config/security-bootstrapper/res setupRegistryACL
+    setupACL_code=$?
+    if [ "${setupACL_code}" -ne 0 ]; then
+      echo "$(date) failed to set up Consul ACL"
+    fi
+else
+    echo "$(date) ACL not enabled, skip Consul's ACL setup"
+fi
diff --git a/snap/local/runtime-helpers/bin/start-consul.sh b/snap/local/runtime-helpers/bin/start-consul.sh
@@ -1,5 +1,36 @@
 #!/bin/bash -e
 
+echo "$(date) deploying the default EdgeX configuration for Consul"
+# the default Consul local configuration is applied to all cases no matter ACL is enabled or not
+# note that Consul's DNS port is disabled based on the securing Consul ADR
+# https://github.com/edgexfoundry/edgex-docs/blob/master/docs_src/design/adr/security/0017-consul-security.md#phase-1
+cat > "$SNAP_DATA/consul/config/consul_default.json" <<EOF
+{
+    "enable_local_script_checks": true,
+    "disable_update_check": true,
+    "ports": {
+      "dns": -1
+    }
+}
+EOF
+
+echo "$(date) ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"
+
+# if feature flag ENABLE_REGISTRY_ACL is true, then we need to add additional configuration settings to Consul's ACL system
+# according to the securing Consul ADR, we set the "default_policy" to "allow" in Phase 1
+if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
+    echo "$(date) deploying additional ACL configuration for Consul"
+    cat > "$SNAP_DATA/consul/config/consul_acl.json" <<EOF
+{
+    "acl": {
+      "enabled": true,
+      "default_policy": "allow",
+      "enable_token_persistence": true
+    }
+}
+EOF
+fi
+
 # start consul in the background
 "$SNAP/bin/consul" agent \
     -data-dir="$SNAP_DATA/consul/data" \

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -76,6 +76,8 @@ apps:
   consul:
     adapter: full
     command: bin/start-consul.sh
+    environment:
+      ENABLE_REGISTRY_ACL: "true"
     daemon: forking
     plugs: [network, network-bind]
   redis:
@@ -159,6 +161,9 @@ apps:
       SECRETSTORE_TOKENPROVIDER: $SNAP/bin/security-file-token-provider
       SECRETSTORE_TOKENPROVIDERARGS: "-confdir, $SNAP_DATA/config/security-file-token-provider/res"
       SECRETSTORE_TOKENPROVIDERADMINTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json
+      # registry consul ACL related environment variables:
+      ENABLE_REGISTRY_ACL: "true"
+      SECRETSTORE_CONSULSECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json
 
       # environment for security-file-token-provider, exec'd by secretstore-setup
       TOKENFILEPROVIDER_PRIVILEGEDTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json
@@ -179,16 +184,16 @@ apps:
     daemon: oneshot
     start-timeout: 15m
     plugs: [network]
-  # This is a simple service which calls into vault to retrieve the Redis password and then 
-  # to generate Redis config file for Redis server to start up with credentials and ACL rules. 
-  # Redis can be started once the confFile is created. Once the config file has been generated, 
-  # this service exits. In the Docker version, the customized redis' entrypoint.sh performs 
+  # This is a simple service which calls into vault to retrieve the Redis password and then
+  # to generate Redis config file for Redis server to start up with credentials and ACL rules.
+  # Redis can be started once the confFile is created. Once the config file has been generated,
+  # this service exits. In the Docker version, the customized redis' entrypoint.sh performs
   # the similar actions as described above.
   security-bootstrap-redis:
     adapter: none
     after:
       - security-secretstore-setup
-    command: bin/security-bootstrapper -confdir $SNAP_DATA/config/security-bootstrapper/res configureRedis
+    command: bin/security-bootstrapper -confdir $SNAP_DATA/config/security-bootstrapper/res-bootstrap-redis configureRedis
     environment:
       # TODO: determine the correct cmd-line args & env var overrides...
       SECRETSTORE_SERVERNAME: localhost
@@ -197,6 +202,20 @@ apps:
       DATABASECONFIG_NAME: redis.conf
     daemon: oneshot
     plugs: [network]
+  # This is a one-shot service which sets up consul's ACL and prepare for creating consul's agent tokens later on
+  security-consul-bootstrapper:
+    adapter: none
+    after:
+      - security-secretstore-setup
+    command: bin/setup-consul-acl.sh
+    environment:
+      ENABLE_REGISTRY_ACL: "true"
+      STAGEGATE_REGISTRY_HOST: localhost
+      STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: $SNAP_DATA/secrets/consul-acl-token/bootstrap_token.json
+      STAGEGATE_REGISTRY_ACL_SECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json
+      STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: $SNAP_DATA/consul/config/consul_acl_done
+    daemon: oneshot
+    plugs: [network]
   core-data:
     adapter: full
     after:
@@ -305,7 +324,7 @@ apps:
     adapter: none
     command: bin/security-proxy-setup
     environment:
-      SECRETSTORE_TOKENPATH: $SNAP_DATA/secrets/edgex-security-proxy-setup/secrets-token.json
+      SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/edgex-security-proxy-setup/secrets-token.json
     plugs: [home, removable-media, network]
   secrets-config:
     adapter: none
@@ -581,11 +600,14 @@ parts:
                   "$SNAPCRAFT_PART_INSTALL/config/security-file-token-provider/res/configuration.toml"
           ;;
           # For security bootstrapping Redis, we only need the configuration file used for "configureRedis"
-          # as part of the whole "security-bootstrapper". The other parts of security-bootstrapper is only 
-          # for Docker version running in docker-compose file cases.
+          # as part of the whole "security-bootstrapper".
+          # For security bootstrapping Consul (aka consul-bootstrapper), we then need the security-bootstrapper's
+          # toml file and thus here we install both files.
           "security-bootstrapper")
               install -DT "./cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml" \
                   "$SNAPCRAFT_PART_INSTALL/config/security-bootstrapper/res-bootstrap-redis/configuration.toml"
+              install -DT "./cmd/security-bootstrapper/res/configuration.toml" \
+                  "$SNAPCRAFT_PART_INSTALL/config/security-bootstrapper/res/configuration.toml"
           ;;
           # The security-secrets-config doesn't have a default configuration.toml, but since it shares
           # the same config as proxy-setup, just use that one.