feat(security): Add new implementation for security bootstrapping/ins…

…tallation The scurity container bootstrapping initiates with security-bootstrapper service, in which it bootstraps the pre-seeded secrets and credentials. The security-bootstrapper starts with seeding the vault_wait_install.sh script (contains the dockerize utility) to be available for other containers that needs to wait for the intended done-listener is issued and connected. The other containers in the security bootstrapping process currently are: - Redis bootstrapping - Consul bootstrapping - Kong bootstrapping - Postgres bootstrapping The dockerize utility is used on those above containers to wait for that security-bootstrapper tcp listener done signal and then those container can proceed to start up. Security-bootstrapper's entrypoint script is also for other edgex-core-services to wait for the intended port to be ready. The majority of edgex-core-services are converted to alpine-based image to facilitate the ability to use entrypoint scripts. Signed-off-by: Jim Wang <[email protected]>
edgexfoundry · Jan 6, 2021 · fb0dd7a · fb0dd7a
1 parent fa73db0
commit fb0dd7a
Show file tree

Hide file tree

Showing 57 changed files with 2,825 additions and 30 deletions.
diff --git a/.gitignore b/.gitignore
@@ -27,6 +27,7 @@ cmd/sys-mgmt-agent/sys-mgmt-agent
 cmd/sys-mgmt-executor/sys-mgmt-executor
 cmd/security-bootstrap-redis/security-bootstrap-redis
 cmd/secrets-config/secrets-config
+cmd/security-bootstrapper/security-bootstrapper
 
 docs/_build/
 

diff --git a/Makefile b/Makefile
@@ -19,7 +19,7 @@ DOCKERS= \
 	docker_support_scheduler \
 	docker_security_proxy_setup \
 	docker_security_secretstore_setup \
-	docker_security_bootstrap_redis
+	docker_security_bootstrapper
 
 .PHONY: $(DOCKERS)
 
@@ -35,7 +35,8 @@ MICROSERVICES= \
 	cmd/security-secretstore-setup/security-secretstore-setup \
 	cmd/security-file-token-provider/security-file-token-provider \
 	cmd/security-bootstrap-redis/security-bootstrap-redis \
-	cmd/secrets-config/secrets-config
+	cmd/secrets-config/secrets-config \
+	cmd/security-bootstrapper/security-bootstrapper
 
 .PHONY: $(MICROSERVICES)
 
@@ -87,6 +88,9 @@ cmd/security-bootstrap-redis/security-bootstrap-redis:
 cmd/secrets-config/secrets-config:
 	$(GO) build $(GOFLAGS) -o ./cmd/secrets-config ./cmd/secrets-config
 
+cmd/security-bootstrapper/security-bootstrapper:
+	$(GO) build $(GOFLAGS) -o ./cmd/security-bootstrapper/security-bootstrapper ./cmd/security-bootstrapper
+
 clean:
 	rm -f $(MICROSERVICES)
 
@@ -186,10 +190,12 @@ docker_security_secretstore_setup:
 		-t edgexfoundry/docker-security-secretstore-setup-go:$(DOCKER_TAG) \
 		.
 
-docker_security_bootstrap_redis:
-		docker build \
-		-f cmd/security-bootstrap-redis/Dockerfile \
+docker_security_bootstrapper:
+	docker build \
+	    --build-arg http_proxy \
+	    --build-arg https_proxy \
+		-f cmd/security-bootstrapper/Dockerfile \
 		--label "git_sha=$(GIT_SHA)" \
-		-t edgexfoundry/docker-security-bootstrap-redis-go:$(GIT_SHA) \
-		-t edgexfoundry/docker-security-bootstrap-redis-go:$(DOCKER_TAG) \
+		-t edgexfoundry/docker-security-bootstrapper-go:$(GIT_SHA) \
+		-t edgexfoundry/docker-security-bootstrapper-go:$(DOCKER_TAG) \
 		.
diff --git a/cmd/core-command/Attribution.txt b/cmd/core-command/Attribution.txt
@@ -174,3 +174,6 @@ https://github.com/go-playground/validator/blob/master/LICENSE
 
 leodido/go-urn (MIT) https://github.com/leodido/go-urn
 https://github.com/leodido/go-urn
+
+github.com/lib/pq (MIT) https://github.com/lib/pq
+https://github.com/lib/pq/blob/master/LICENSE.md
diff --git a/cmd/core-command/Dockerfile b/cmd/core-command/Dockerfile
@@ -36,10 +36,12 @@ COPY . .
 
 RUN make cmd/core-command/core-command
 
-FROM scratch
+FROM alpine:3.12
+
+RUN apk add --update --no-cache ca-certificates dumb-init
 
 LABEL license='SPDX-License-Identifier: Apache-2.0' \
-      copyright='Copyright (c) 2018: Dell, Cavium'
+      copyright='Copyright (c) 2018: Dell, Cavium, Copyright (c) 2021: Intel Corporation'
 
 ENV APP_PORT=48082
 #expose command data port
@@ -49,5 +51,13 @@ WORKDIR /
 COPY --from=builder /edgex-go/cmd/core-command/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/core-command/core-command /
 COPY --from=builder /edgex-go/cmd/core-command/res/configuration.toml /res/configuration.toml
-ENTRYPOINT ["/core-command"]
-CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
+
+ENV CONSUL_HOST=edgex-core-consul
+ENV CONSUL_PORT=8500
+
+# setup entrypoint script
+COPY --from=builder /edgex-go/cmd/core-command/entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/entrypoint.sh \
+    && ln -s /usr/local/bin/entrypoint.sh /
+
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/cmd/core-command/entrypoint.sh b/cmd/core-command/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/dumb-init /bin/sh
+#  ----------------------------------------------------------------------------------
+#  Copyright (c) 2021 Intel Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ----------------------------------------------------------------------------------
+
+set -e
+
+echo "CONSUL_HOST: ${CONSUL_HOST} CONSUL_PORT: $CONSUL_PORT"
+
+echo "$(date) Starting edgex-core-command..."
+exec /core-command -cp=consul.http://"${CONSUL_HOST}":"$CONSUL_PORT" --registry --confdir=/res
diff --git a/cmd/core-data/Attribution.txt b/cmd/core-data/Attribution.txt
@@ -174,3 +174,6 @@ https://github.com/go-playground/validator/blob/master/LICENSE
 
 leodido/go-urn (MIT) https://github.com/leodido/go-urn
 https://github.com/leodido/go-urn
+
+github.com/lib/pq (MIT) https://github.com/lib/pq
+https://github.com/lib/pq/blob/master/LICENSE.md
diff --git a/cmd/core-data/Dockerfile b/cmd/core-data/Dockerfile
@@ -50,10 +50,17 @@ EXPOSE $APP_PORT
 # So we can try these.
 RUN sed -e 's/dl-cdn[.]alpinelinux.org/nl.alpinelinux.org/g' -i~ /etc/apk/repositories
 
-RUN apk add --update --no-cache zeromq
+RUN apk add --update --no-cache zeromq dumb-init
 COPY --from=builder /edgex-go/cmd/core-data/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/core-data/core-data /
 COPY --from=builder /edgex-go/cmd/core-data/res/configuration.toml /res/configuration.toml
 
-ENTRYPOINT ["/core-data"]
-CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
+ENV CONSUL_HOST=edgex-core-consul
+ENV CONSUL_PORT=8500
+
+# setup entrypoint script
+COPY --from=builder /edgex-go/cmd/core-data/entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/entrypoint.sh \
+    && ln -s /usr/local/bin/entrypoint.sh /
+
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/cmd/core-data/entrypoint.sh b/cmd/core-data/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/dumb-init /bin/sh
+#  ----------------------------------------------------------------------------------
+#  Copyright (c) 2021 Intel Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ----------------------------------------------------------------------------------
+
+set -e
+
+echo "CONSUL_HOST: ${CONSUL_HOST} CONSUL_PORT: $CONSUL_PORT"
+
+echo "$(date) Starting edgex-core-data..."
+exec /core-data -cp=consul.http://"${CONSUL_HOST}":"$CONSUL_PORT" --registry --confdir=/res
diff --git a/cmd/core-metadata/Attribution.txt b/cmd/core-metadata/Attribution.txt
@@ -174,3 +174,6 @@ https://github.com/go-playground/validator/blob/master/LICENSE
 
 leodido/go-urn (MIT) https://github.com/leodido/go-urn
 https://github.com/leodido/go-urn
+
+github.com/lib/pq (MIT) https://github.com/lib/pq
+https://github.com/lib/pq/blob/master/LICENSE.md
diff --git a/cmd/core-metadata/Dockerfile b/cmd/core-metadata/Dockerfile
@@ -36,10 +36,12 @@ COPY . .
 RUN make cmd/core-metadata/core-metadata
 
 #Next image - Copy built Go binary into new workspace
-FROM scratch
+FROM alpine:3.12
+
+RUN apk add --update --no-cache ca-certificates dumb-init
 
 LABEL license='SPDX-License-Identifier: Apache-2.0' \
-      copyright='Copyright (c) 2018: Dell, Cavium'
+      copyright='Copyright (c) 2018: Dell, Cavium, Copyright (c) 2021: Intel Corporation'
 
 ENV APP_PORT=48081
 #expose meta data port
@@ -49,5 +51,13 @@ WORKDIR /
 COPY --from=builder /edgex-go/cmd/core-metadata/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/core-metadata/core-metadata /
 COPY --from=builder /edgex-go/cmd/core-metadata/res/configuration.toml /res/configuration.toml
-ENTRYPOINT ["/core-metadata"]
-CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
+
+ENV CONSUL_HOST=edgex-core-consul
+ENV CONSUL_PORT=8500
+
+# setup entrypoint script
+COPY --from=builder /edgex-go/cmd/core-metadata/entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/entrypoint.sh \
+    && ln -s /usr/local/bin/entrypoint.sh /
+
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/cmd/core-metadata/entrypoint.sh b/cmd/core-metadata/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/dumb-init /bin/sh
+#  ----------------------------------------------------------------------------------
+#  Copyright (c) 2021 Intel Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ----------------------------------------------------------------------------------
+
+set -e
+
+echo "CONSUL_HOST: ${CONSUL_HOST} CONSUL_PORT: $CONSUL_PORT"
+
+echo "$(date) Starting edgex-core-metadata..."
+exec /core-metadata -cp=consul.http://"${CONSUL_HOST}":"$CONSUL_PORT" --registry --confdir=/res
diff --git a/cmd/secrets-config/Attribution.txt b/cmd/secrets-config/Attribution.txt
@@ -174,3 +174,6 @@ https://github.com/go-playground/validator/blob/master/LICENSE
 
 leodido/go-urn (MIT) https://github.com/leodido/go-urn
 https://github.com/leodido/go-urn
+
+github.com/lib/pq (MIT) https://github.com/lib/pq
+https://github.com/lib/pq/blob/master/LICENSE.md
diff --git a/cmd/security-bootstrap-redis/Attribution.txt b/cmd/security-bootstrap-redis/Attribution.txt
@@ -173,3 +173,6 @@ https://github.com/go-playground/validator/blob/master/LICENSE
 
 leodido/go-urn (MIT) https://github.com/leodido/go-urn
 https://github.com/leodido/go-urn
+
+github.com/lib/pq (MIT) https://github.com/lib/pq
+https://github.com/lib/pq/blob/master/LICENSE.md