Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Streamline proxy certificate upload flow #1922

Closed
bnevis-i opened this issue Oct 15, 2019 · 1 comment
Closed

Streamline proxy certificate upload flow #1922

bnevis-i opened this issue Oct 15, 2019 · 1 comment
Assignees
Labels
3-high priority denoting release-blocking issues enhancement New feature or request security-services
Milestone

Comments

@bnevis-i
Copy link
Collaborator

🚀 Feature Request

Relevant Package

Affects security-secretstore-setup

Description

The existing security-secretstore-setup has inline code that uploads the proxy certificate into the secret store after initialization of the secret store. This coupling is unnecessary since the TLS certificate is created by an entirely separate tool (security-secrets-setup) that runs well-before security-secretstore-setup runs. In fact, there are multiple possible implementations of this logic:

  • Security-proxy-setup can directly consume the TLS certificate from its on-disk representation and upload it directly to kong. In fact, this could be done through configuration-only. There is no technical need to upload this certificate into Vault to begin with.
  • The proxy TLS certificate could be generated by a Vault PKI secrets engine, in which case security-proxy setup can ask the secrets engine to generate the certificate directory, and then upload it into Vault, without reading it out of a file and storing it into the key-value store.
  • A hybrid solution whereby a PKI secrets engine generates the certificate, then it is copied into the KV store, could be implemented.
  • The existing logic as-is could be moved to its own executable and be made part of the security-proxy-setup container instead of the vault-worker container. This puts the logic closer to where it is needed (proxy initialization).

The current implementation has very little to do with initializing the secret store other than requiring that the secret store is up, and thus the logic should be moved into its own utility.

@anonymouse64
Copy link
Contributor

We could just drop this feature entirely and use kong's config file to specify the certificates instead. That seems like it would be the least amount of maintenance

@tingyuz tingyuz added geneva security_audit Track issues that are related to CVE/CVSS/CWE auditing etc and removed security labels Oct 18, 2019
@bnevis-i bnevis-i changed the title Move proxy certificate upload to vault into separate executable Streamline proxy certificate upload flow Oct 19, 2019
@brandonforster brandonforster added this to the EdgeX Geneva milestone Oct 25, 2019
@bnevis-i bnevis-i added unscoped Issues that are currently out of scope for all releases. and removed geneva labels Nov 20, 2019
@bnevis-i bnevis-i removed this from the EdgeX Geneva milestone Nov 20, 2019
@bnevis-i bnevis-i self-assigned this Nov 4, 2020
@bnevis-i bnevis-i removed security_audit Track issues that are related to CVE/CVSS/CWE auditing etc unscoped Issues that are currently out of scope for all releases. labels Nov 4, 2020
@bnevis-i bnevis-i added the 3-high priority denoting release-blocking issues label Nov 5, 2020
@bnevis-i bnevis-i added this to the Ireland milestone Nov 18, 2020
jim-wang-intel added a commit to jim-wang-intel/developer-scripts that referenced this issue Dec 10, 2020
Add a new makefile target for compose-builder: upload-tls-cert
This can be used to setup a bring-your-own (BYO) TLS certificate for Kong proxy server in an Edgex docker-compose stack

Closes: edgexfoundry/edgex-go#1926, edgexfoundry/edgex-go#1922
Signed-off-by: Jim Wang <[email protected]>
lenny-goodell pushed a commit to edgexfoundry/developer-scripts that referenced this issue Dec 10, 2020
* feat(security): Add upload-tls-cert makefile target

Add a new makefile target for compose-builder: upload-tls-cert
This can be used to setup a bring-your-own (BYO) TLS certificate for Kong proxy server in an Edgex docker-compose stack

Closes: edgexfoundry/edgex-go#1926, edgexfoundry/edgex-go#1922
Signed-off-by: Jim Wang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3-high priority denoting release-blocking issues enhancement New feature or request security-services
Projects
None yet
Development

No branches or pull requests

5 participants