Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): Add new implementation for security bootstrapper #2970

Merged
merged 1 commit into from
Jan 22, 2021
Merged

feat(security): Add new implementation for security bootstrapper #2970

merged 1 commit into from
Jan 22, 2021

Conversation

jim-wang-intel
Copy link
Contributor

@jim-wang-intel jim-wang-intel commented Dec 23, 2020
edited
Loading

The full blown implementation is base on ADR security bootstrapping containers.

The security container bootstrapping initiates with security-bootstrapper service, in which it bootstraps
the pre-seeded secrets and credentials.

The security-bootstrapper starts with seeding the vault_wait_install.sh script (contains the dockerize utility)
to be available for other containers that needs to wait for the intended done-listener is issued and connected.

The other containers in the security bootstrapping process currently are:

  • Redis bootstrapping
  • Consul bootstrapping
  • Postgres bootstrapping
  • Kong bootstrapping

The dockerize utility is used on those above containers to wait for that security-bootstrapper
tcp listener done signal and then those container can proceed to start up.

Signed-off-by: Jim Wang [email protected]

PR Checklist

Please check if your PR fulfills the following requirements:

  • [x ] Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/master/.github/Contributing.md.

What is the current behavior?

This is a totally new implementation

Issue Number: #2884

What is the new behavior?

New security bootstrapping mechanism and entrypoint scripts to coordinate the startup steps for various service containers.

Does this PR introduce a breaking change?

  • Yes
  • [X ] No

New Imports

  • [X ] Yes
  • No

https://wiki.edgexfoundry.org/display/FA/Vetting+Process+for+3rd+Party+Dependencies

  • Add pure Golang postgres driver tool lib/pq to facilitate the pinging postgres db connection for the readiness of kong-db. This is needed because the postgres kong-db service docker-container currently is read-only and hence unable to install any new utilities on that container itself.

  • Add dockerize executable to facilitate the gating or waiting mechanism on various containers. This one is not used directly in new imports or modules; rather only used in the shell scripts.

Specific Instructions

Are there any specific instructions or things that should be known prior to reviewing?
local testing instructions:

  1. git clone this PR
  2. build the local version of docker images: make docker
  3. use the following docker-compose file to test: docker-compose up
networks:
  edgex-network:
    driver: bridge
services:
  app-service-rules:
    command: -s -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res
    container_name: edgex-app-service-configurable-rules
    depends_on:
    - consul
    - data
    environment:
      BINDING_PUBLISHTOPIC: events
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_PROFILE: rules-engine
      EDGEX_SECURITY_SECRET_STORE: "false"
      MESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-core-data
      REGISTRY_HOST: edgex-core-consul
      SERVICE_HOST: edgex-app-service-configurable-rules
      SERVICE_PORT: 48100
    hostname: edgex-app-service-configurable-rules
    image: nexus3.edgexfoundry.org:10004/docker-app-service-configurable:master
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48100:48100/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
  command:
    command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res
    container_name: edgex-core-command
    depends_on:
    - consul
    - database
    - metadata
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/ready_to_run_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-core-command/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      SERVICE_HOST: edgex-core-command
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-core-command
    image: edgexfoundry/docker-core-command-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48082:48082/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z
  consul:
    container_name: edgex-core-consul
    depends_on:
    - security-bootstrapper
    - vault
    entrypoint:
    - /edgex-init/consul_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-core-consul
    image: consul:1.9.1
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:8500:8500/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    volumes:
    - consul-config:/consul/config:z
    - consul-data:/consul/data:z
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z
    - /tmp/edgex/secrets/edgex-kong:/tmp/edgex/secrets/edgex-kong:ro,z
  data:
    command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res
    container_name: edgex-core-data
    depends_on:
    - consul
    - database
    - metadata
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/ready_to_run_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-core-data/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      SERVICE_HOST: edgex-core-data
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-core-data
    image: edgexfoundry/docker-core-data-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:5563:5563/tcp
    - 127.0.0.1:48080:48080/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z
  database:
    container_name: edgex-redis
    depends_on:
    - security-bootstrapper
    entrypoint:
    - /edgex-init/redis_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-security-bootstrap-redis/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-redis
    image: redis:6.0.9-alpine
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:6379:6379/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    volumes:
    - db-data:/data:z
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-security-bootstrap-redis:/tmp/edgex/secrets/edgex-security-bootstrap-redis:ro,z
  edgex-proxy:
    container_name: edgex-proxy
    depends_on:
    - consul
    - kong
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/proxy_setup_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "false"
      KONGURL_SERVER: kong
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSERVICE_SERVER: edgex-vault
      SECRETSERVICE_TOKENPATH: /tmp/edgex/secrets/edgex-security-proxy-setup/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-proxy
    image: edgexfoundry/docker-security-proxy-setup-go:0.0.0-dev
    networks:
      edgex-network: {}
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-security-proxy-setup:/tmp/edgex/secrets/edgex-security-proxy-setup:ro,z
  kong:
    container_name: kong
    depends_on:
    - consul
    - kong-db
    - security-bootstrapper
    entrypoint:
    - /edgex-init/kong_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-db
      KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      PROXY_SETUP_HOST: edgex-proxy
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: kong
    image: kong:2.0.5
    networks:
      edgex-network: {}
    ports:
    - 8000:8000/tcp
    - 127.0.0.1:8001:8001/tcp
    - 8443:8443/tcp
    - 127.0.0.1:8444:8444/tcp
    read_only: true
    restart: on-failure
    security_opt:
    - no-new-privileges:true
    tmpfs:
    - /run
    - /tmp
    tty: true
    volumes:
    - edgex-init:/edgex-init:ro,z
    - postgres-config:/tmp/postgres-config:z
    - kong:/usr/local/kong:rw
  kong-db:
    container_name: kong-db
    depends_on:
    - security-bootstrapper
    entrypoint:
    - /edgex-init/postgres_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      EDGEX_SECURITY_SECRET_STORE: "true"
      POSTGRES_DB: kong
      POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword
      POSTGRES_USER: kong
      PROXY_SETUP_HOST: edgex-proxy
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: kong-db
    image: postgres:12.3-alpine
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:5432:5432/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    tmpfs:
    - /var/run
    - /tmp
    - /run
    volumes:
    - edgex-init:/edgex-init:ro,z
    - postgres-config:/tmp/postgres-config:z
    - postgres-data:/var/lib/postgresql/data:z
  metadata:
    command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res
    container_name: edgex-core-metadata
    depends_on:
    - consul
    - database
    - notifications
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/ready_to_run_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      NOTIFICATIONS_SENDER: edgex-core-metadata
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-core-metadata/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      SERVICE_HOST: edgex-core-metadata
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-core-metadata
    image: edgexfoundry/docker-core-metadata-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48081:48081/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z
  notifications:
    command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry
      --confdir=/res
    container_name: edgex-support-notifications
    depends_on:
    - consul
    - database
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/ready_to_run_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-support-notifications/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      SERVICE_HOST: edgex-support-notifications
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-support-notifications
    image: edgexfoundry/docker-support-notifications-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48060:48060/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z
  rulesengine:
    container_name: edgex-kuiper
    depends_on:
    - app-service-rules
    environment:
      EDGEX__DEFAULT__PORT: 5566
      EDGEX__DEFAULT__PROTOCOL: tcp
      EDGEX__DEFAULT__SERVER: edgex-app-service-configurable-rules
      EDGEX__DEFAULT__SERVICESERVER: http://edgex-core-data:48080
      EDGEX__DEFAULT__TOPIC: events
      KUIPER__BASIC__CONSOLELOG: "true"
      KUIPER__BASIC__RESTPORT: 48075
    hostname: edgex-kuiper
    image: emqx/kuiper:1.0.0-alpine
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:20498:20498/tcp
    - 127.0.0.1:48075:48075/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    volumes:
    - kuiper-data:/kuiper/data:z
  scheduler:
    command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry
      --confdir=/res
    container_name: edgex-support-scheduler
    depends_on:
    - consul
    - database
    - security-bootstrapper
    - vault-worker
    entrypoint:
    - /edgex-init/ready_to_run_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "true"
      INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data
      INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data
      PROXY_SETUP_HOST: edgex-proxy
      REGISTRY_HOST: edgex-core-consul
      SECRETSTORE_HOST: edgex-vault
      SECRETSTORE_PORT: '8200'
      SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/edgex-support-scheduler/secrets-token.json
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      SERVICE_HOST: edgex-support-scheduler
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-support-scheduler
    image: edgexfoundry/docker-support-scheduler-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48085:48085/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    user: 2002:2001
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z
  security-bootstrapper:
    container_name: edgex-security-stage-gate
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      EDGEX_GROUP: '2001'
      EDGEX_USER: '2002'
      PROXY_SETUP_HOST: edgex-proxy
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-security-stage-gate
    image: edgexfoundry/docker-security-bootstrapper-go:0.0.0-dev
    networks:
      edgex-network: {}
    read_only: true
    security_opt:
    - no-new-privileges:true
    volumes:
    - edgex-init:/edgex-init:z
  system:
    container_name: edgex-sys-mgmt-agent
    depends_on:
    - command
    - consul
    - data
    - metadata
    - notifications
    - scheduler
    environment:
      CLIENTS_COMMAND_HOST: edgex-core-command
      CLIENTS_COREDATA_HOST: edgex-core-data
      CLIENTS_DATA_HOST: edgex-core-data
      CLIENTS_METADATA_HOST: edgex-core-metadata
      CLIENTS_NOTIFICATIONS_HOST: edgex-support-notifications
      CLIENTS_RULESENGINE_HOST: edgex-kuiper
      CLIENTS_SCHEDULER_HOST: edgex-support-scheduler
      CLIENTS_VIRTUALDEVICE_HOST: edgex-device-virtual
      DATABASES_PRIMARY_HOST: edgex-redis
      EDGEX_SECURITY_SECRET_STORE: "false"
      EXECUTORPATH: /sys-mgmt-executor
      METRICSMECHANISM: executor
      REGISTRY_HOST: edgex-core-consul
      SERVICE_HOST: edgex-sys-mgmt-agent
    hostname: edgex-sys-mgmt-agent
    image: edgexfoundry/docker-sys-mgmt-agent-go:0.0.0-dev
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:48090:48090/tcp
    read_only: true
    security_opt:
    - no-new-privileges:true
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:z
  vault:
    cap_add:
    - IPC_LOCK
    command: server
    container_name: edgex-vault
    depends_on:
    - security-bootstrapper
    entrypoint:
    - /edgex-init/vault_wait_install.sh
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      PROXY_SETUP_HOST: edgex-proxy
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
      VAULT_ADDR: http://edgex-vault:8200
      VAULT_CONFIG_DIR: /vault/config
      VAULT_UI: "true"
    hostname: edgex-vault
    image: vault:1.5.3
    networks:
      edgex-network: {}
    ports:
    - 127.0.0.1:8200:8200/tcp
    tmpfs:
    - /vault/config
    volumes:
    - edgex-init:/edgex-init:ro,z
    - vault-file:/vault/file:z
    - vault-logs:/vault/logs:z
  vault-worker:
    container_name: edgex-vault-worker
    depends_on:
    - consul
    - security-bootstrapper
    - vault
    environment:
      API_GATEWAY_HOST: kong
      API_GATEWAY_STATUS_PORT: '8001'
      EDGEX_GROUP: '2001'
      EDGEX_USER: '2002'
      PROXY_SETUP_HOST: edgex-proxy
      SECTY_BOOTSTRAP_GATING_TIMEOUT_DURATION: 60s
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-stage-gate
      STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321'
      STAGEGATE_CONSUL_PORT: '8500'
      STAGEGATE_CONSUL_READYPORT: '54324'
      STAGEGATE_PG_HOST: kong-db
      STAGEGATE_PG_PORT: '5432'
      STAGEGATE_PG_READYPORT: '54325'
      STAGEGATE_READY_TORUNPORT: '54329'
      STAGEGATE_REDIS_PORT: '6379'
      STAGEGATE_REDIS_READYPORT: '54323'
      STAGEGATE_VAULTWORKER_HOST: edgex-vault-worker
      STAGEGATE_VAULTWORKER_TOKENS_READYPORT: '54322'
    hostname: edgex-vault-worker
    image: edgexfoundry/docker-security-secretstore-setup-go:0.0.0-dev
    networks:
      edgex-network: {}
    read_only: true
    security_opt:
    - no-new-privileges:true
    tmpfs:
    - /run
    - /vault
    volumes:
    - edgex-init:/edgex-init:ro,z
    - /tmp/edgex/secrets:/tmp/edgex/secrets:z
    - vault-config:/vault/config:z
version: '3.7'
volumes:
  consul-config: {}
  consul-data: {}
  db-data: {}
  edgex-init: {}
  kong: {}
  kuiper-data: {}
  postgres-config: {}
  postgres-data: {}
  vault-config: {}
  vault-file: {}
  vault-logs: {}
  1. Observe the docker log messages and edgex-security-installer, and related edgex core services should be up and running OK.

Other information

@jim-wang-intel jim-wang-intel self-assigned this Dec 23, 2020
@jim-wang-intel jim-wang-intel added this to the Ireland milestone Dec 23, 2020
@jim-wang-intel jim-wang-intel linked an issue Dec 23, 2020 that may be closed by this pull request
Create the full-blown bootstrap/control container #2884
Closed
@codecov-io
Copy link

codecov-io commented Dec 23, 2020
edited
Loading

Codecov Report

Merging #2970 (c4eb6dd) into master (ba3f575) will increase coverage by 0.64%.
The diff coverage is 72.34%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2970      +/-   ##
==========================================
+ Coverage   40.28%   40.92%   +0.64%     
==========================================
  Files         158      168      +10     
  Lines       13736    14018     +282     
==========================================
+ Hits         5533     5737     +204     
- Misses       7882     7954      +72     
- Partials      321      327       +6
Impacted Files Coverage Δ
...rnal/security/bootstrapper/command/flags_common.go 0.00% <0.00%> (ø)
...rnal/security/bootstrapper/command/ping/command.go 53.84% <53.84%> (ø)
internal/security/bootstrapper/tcp/listener.go 68.96% <68.96%> (ø)
...rnal/security/bootstrapper/command/gate/command.go 78.94% <78.94%> (ø)
...curity/bootstrapper/command/genpassword/command.go 89.47% <89.47%> (ø)
internal/security/bootstrapper/tcp/client.go 90.47% <90.47%> (ø)
...rnal/security/bootstrapper/command/help/command.go 92.30% <92.30%> (ø)
...rity/bootstrapper/command/gethttpstatus/command.go 93.54% <93.54%> (ø)
...al/security/bootstrapper/command/listen/command.go 95.00% <95.00%> (ø)
...al/security/bootstrapper/command/cmd_dispatcher.go 100.00% <100.00%> (ø)
... and 10 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba3f575...c4eb6dd. Read the comment docs.

@jim-wang-intel jim-wang-intel added dependencies Pull requests that update a dependency file security-review Pull requests that require review by a member of the Security WG labels Jan 4, 2021
@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 2 times, most recently from 81e80c1 to 4113549 Compare January 4, 2021 20:46
@jim-wang-intel
Copy link
Contributor Author

edgex-go$ GO111MODULE=on go list -m all
github.com/edgexfoundry/edgex-go
bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690
github.com/BurntSushi/toml v0.3.1
github.com/OneOfOne/xxhash v1.2.8
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da
github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310
github.com/bgentry/speakeasy v0.1.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/davecgh/go-spew v1.1.1
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/eclipse/paho.mqtt.golang v1.2.0
github.com/edgexfoundry/go-mod-bootstrap v0.0.65
github.com/edgexfoundry/go-mod-configuration v0.0.8
github.com/edgexfoundry/go-mod-core-contracts v0.1.135
github.com/edgexfoundry/go-mod-messaging v0.1.29
github.com/edgexfoundry/go-mod-registry v0.1.27
github.com/edgexfoundry/go-mod-secrets v0.0.29
github.com/fatih/color v1.7.0
github.com/fsnotify/fsnotify v1.4.7
github.com/fxamacker/cbor/v2 v2.2.0
github.com/go-kit/kit v0.8.0
github.com/go-logfmt/logfmt v0.4.0
github.com/go-playground/assert/v2 v2.0.1
github.com/go-playground/locales v0.13.0
github.com/go-playground/universal-translator v0.17.0
github.com/go-playground/validator/v10 v10.3.0
github.com/go-redis/redis/v7 v7.2.0
github.com/go-stack/stack v1.8.0
github.com/golang/protobuf v1.3.2
github.com/gomodule/redigo v2.0.0+incompatible
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c
github.com/google/uuid v1.1.2
github.com/gorilla/mux v1.8.0
github.com/hashicorp/consul/api v1.1.0
github.com/hashicorp/consul/sdk v0.1.1
github.com/hashicorp/errwrap v1.0.0
github.com/hashicorp/go-cleanhttp v0.5.1
github.com/hashicorp/go-immutable-radix v1.0.0
github.com/hashicorp/go-msgpack v0.5.3
github.com/hashicorp/go-multierror v1.0.0
github.com/hashicorp/go-rootcerts v1.0.0
github.com/hashicorp/go-sockaddr v1.0.0
github.com/hashicorp/go-syslog v1.0.0
github.com/hashicorp/go-uuid v1.0.1
github.com/hashicorp/go.net v0.0.1
github.com/hashicorp/golang-lru v0.5.0
github.com/hashicorp/logutils v1.0.0
github.com/hashicorp/mdns v1.0.0
github.com/hashicorp/memberlist v0.1.3
github.com/hashicorp/serf v0.8.2
github.com/hpcloud/tail v1.0.0
github.com/imdario/mergo v0.3.11
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515
github.com/kr/pretty v0.1.0
github.com/kr/pty v1.1.1
github.com/kr/text v0.1.0
github.com/leodido/go-urn v1.2.0
github.com/lib/pq v1.9.0
github.com/mattn/go-colorable v0.0.9
github.com/mattn/go-isatty v0.0.3
github.com/miekg/dns v1.0.14
github.com/mitchellh/cli v1.0.0
github.com/mitchellh/consulstructure v0.0.0-20190329231841-56fdc4d2da54
github.com/mitchellh/copystructure v1.0.0
github.com/mitchellh/go-homedir v1.0.0
github.com/mitchellh/go-testing-interface v1.0.0
github.com/mitchellh/gox v0.4.0
github.com/mitchellh/iochan v1.0.0
github.com/mitchellh/mapstructure v1.1.2
github.com/mitchellh/reflectwalk v1.0.0
github.com/onsi/ginkgo v1.10.1
github.com/onsi/gomega v1.7.0
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c
github.com/pebbe/zmq4 v1.0.0
github.com/pelletier/go-toml v1.2.0
github.com/pkg/errors v0.8.1
github.com/pmezard/go-difflib v1.0.0
github.com/posener/complete v1.1.1
github.com/robfig/cron v0.0.0-20180505203441-b41be1df6967
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529
github.com/stretchr/objx v0.1.0
github.com/stretchr/testify v1.6.1
github.com/x448/float16 v0.8.4
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
golang.org/x/sys v0.0.0-20191010194322-b09406accb47
golang.org/x/text v0.3.2
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
gopkg.in/eapache/queue.v1 v1.1.0
gopkg.in/fsnotify.v1 v1.4.7
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
edgex-go$

The bold one in the above list, github.com/lib/pq, is the new go import/module used in this PR. And the dependency graph shows that total increase in new imports in count = 1.

edgex-go$ GO111MODULE=on go mod graph
github.com/edgexfoundry/edgex-go bitbucket.org/bertimus9/[email protected]
github.com/edgexfoundry/edgex-go github.com/BurntSushi/[email protected]
github.com/edgexfoundry/edgex-go github.com/OneOfOne/[email protected]
github.com/edgexfoundry/edgex-go github.com/dgrijalva/[email protected]+incompatible
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/edgex-go github.com/fxamacker/cbor/[email protected]
github.com/edgexfoundry/edgex-go github.com/gomodule/[email protected]+incompatible
github.com/edgexfoundry/edgex-go github.com/google/[email protected]
github.com/edgexfoundry/edgex-go github.com/gorilla/[email protected]
github.com/edgexfoundry/edgex-go github.com/imdario/[email protected]
github.com/edgexfoundry/edgex-go github.com/lib/[email protected]
github.com/edgexfoundry/edgex-go github.com/pkg/[email protected]
github.com/edgexfoundry/edgex-go github.com/robfig/[email protected]
github.com/edgexfoundry/edgex-go github.com/stretchr/[email protected]
github.com/edgexfoundry/edgex-go golang.org/x/[email protected]
github.com/edgexfoundry/edgex-go gopkg.in/eapache/[email protected]
github.com/edgexfoundry/edgex-go gopkg.in/[email protected]
github.com/fxamacker/cbor/[email protected] github.com/x448/[email protected]
github.com/edgexfoundry/[email protected] github.com/fxamacker/cbor/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-kit/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-logfmt/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-playground/validator/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-stack/[email protected]
github.com/edgexfoundry/[email protected] github.com/google/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/edgexfoundry/[email protected] gopkg.in/[email protected]
github.com/edgexfoundry/[email protected] github.com/eclipse/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-redis/redis/[email protected]
github.com/edgexfoundry/[email protected] github.com/pebbe/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/edgexfoundry/[email protected] golang.org/x/[email protected]
github.com/go-logfmt/[email protected] github.com/kr/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/go-playground/validator/[email protected] github.com/go-playground/assert/[email protected]
github.com/go-playground/validator/[email protected] github.com/go-playground/[email protected]
github.com/go-playground/validator/[email protected] github.com/go-playground/[email protected]
github.com/go-playground/validator/[email protected] github.com/leodido/[email protected]
github.com/edgexfoundry/[email protected] github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] gopkg.in/[email protected]
github.com/imdario/[email protected] gopkg.in/[email protected]
github.com/go-redis/redis/[email protected] github.com/golang/[email protected]
github.com/go-redis/redis/[email protected] github.com/kr/[email protected]
github.com/go-redis/redis/[email protected] github.com/onsi/[email protected]
github.com/go-redis/redis/[email protected] github.com/onsi/[email protected]
github.com/go-redis/redis/[email protected] golang.org/x/[email protected]
github.com/go-redis/redis/[email protected] golang.org/x/[email protected]
github.com/go-redis/redis/[email protected] golang.org/x/[email protected]
github.com/go-redis/redis/[email protected] gopkg.in/[email protected]
github.com/go-redis/redis/[email protected] gopkg.in/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
github.com/go-playground/[email protected] golang.org/x/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
github.com/edgexfoundry/[email protected] github.com/cenkalti/[email protected]+incompatible
github.com/edgexfoundry/[email protected] github.com/hashicorp/consul/[email protected]
github.com/edgexfoundry/[email protected] github.com/mitchellh/[email protected]
github.com/edgexfoundry/[email protected] github.com/mitchellh/[email protected]
github.com/edgexfoundry/[email protected] github.com/pelletier/[email protected]
github.com/edgexfoundry/[email protected] github.com/pkg/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] gopkg.in/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/consul/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/consul/[email protected] github.com/pascaldekloe/[email protected]
github.com/hashicorp/consul/[email protected] github.com/stretchr/[email protected]
github.com/edgexfoundry/[email protected] github.com/BurntSushi/[email protected]
github.com/edgexfoundry/[email protected] github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/[email protected] github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/[email protected] github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/[email protected] github.com/edgexfoundry/[email protected]
github.com/edgexfoundry/[email protected] github.com/gorilla/[email protected]
github.com/edgexfoundry/[email protected] github.com/pelletier/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/go-playground/[email protected] github.com/go-playground/[email protected]
github.com/edgexfoundry/[email protected] github.com/cenkalti/[email protected]+incompatible
github.com/edgexfoundry/[email protected] github.com/hashicorp/consul/[email protected]
github.com/edgexfoundry/[email protected] github.com/mitchellh/[email protected]
github.com/edgexfoundry/[email protected] github.com/mitchellh/[email protected]
github.com/edgexfoundry/[email protected] github.com/pelletier/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/onsi/[email protected] github.com/fsnotify/[email protected]
github.com/onsi/[email protected] github.com/golang/[email protected]
github.com/onsi/[email protected] github.com/hpcloud/[email protected]
github.com/onsi/[email protected] github.com/onsi/[email protected]
github.com/onsi/[email protected] golang.org/x/[email protected]
github.com/onsi/[email protected] golang.org/x/[email protected]
github.com/onsi/[email protected] golang.org/x/[email protected]
github.com/onsi/[email protected] golang.org/x/[email protected]
github.com/onsi/[email protected] gopkg.in/[email protected]
github.com/onsi/[email protected] gopkg.in/[email protected]
github.com/onsi/[email protected] gopkg.in/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
github.com/leodido/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] gopkg.in/[email protected]
github.com/edgexfoundry/[email protected] github.com/fxamacker/cbor/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-kit/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-logfmt/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-playground/validator/[email protected]
github.com/edgexfoundry/[email protected] github.com/go-stack/[email protected]
github.com/edgexfoundry/[email protected] github.com/google/[email protected]
github.com/edgexfoundry/[email protected] github.com/stretchr/[email protected]
github.com/edgexfoundry/[email protected] gopkg.in/[email protected]
github.com/hashicorp/[email protected] github.com/armon/[email protected]
github.com/hashicorp/[email protected] github.com/armon/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/[email protected] github.com/ryanuber/[email protected]
github.com/hashicorp/[email protected] github.com/stretchr/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
github.com/hashicorp/[email protected] github.com/mitchellh/[email protected]
github.com/mitchellh/[email protected] github.com/mitchellh/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/miekg/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] github.com/armon/[email protected]
github.com/hashicorp/[email protected] github.com/davecgh/[email protected]
github.com/hashicorp/[email protected] github.com/google/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/miekg/[email protected]
github.com/hashicorp/[email protected] github.com/pascaldekloe/[email protected]
github.com/hashicorp/[email protected] github.com/pmezard/[email protected]
github.com/hashicorp/[email protected] github.com/sean-/[email protected]
github.com/hashicorp/[email protected] github.com/stretchr/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] golang.org/x/[email protected]
github.com/kr/[email protected] github.com/kr/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/mitchellh/[email protected]
github.com/hashicorp/consul/[email protected] github.com/pkg/[email protected]
github.com/kr/[email protected] github.com/kr/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/mitchellh/[email protected] github.com/armon/[email protected]
github.com/mitchellh/[email protected] github.com/bgentry/[email protected]
github.com/mitchellh/[email protected] github.com/fatih/[email protected]
github.com/mitchellh/[email protected] github.com/hashicorp/[email protected]
github.com/mitchellh/[email protected] github.com/mattn/[email protected]
github.com/mitchellh/[email protected] github.com/mattn/[email protected]
github.com/mitchellh/[email protected] github.com/posener/[email protected]
github.com/mitchellh/[email protected] golang.org/x/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
edgex-go$

In particular, searching on lib/pq only shows one dependency in go mod graph:

edgex-go$ GO111MODULE=on go mod graph | grep "lib/pq"
github.com/edgexfoundry/edgex-go github.com/lib/[email protected]
edgex-go$

Statistics measures as of 01/04/2021:

License type: MIT based on the content of license (compared https://github.com/lib/pq/blob/master/LICENSE.md with https://opensource.org/licenses/MIT).

@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 3 times, most recently from 6ff8d3b to f7efb5d Compare January 5, 2021 21:14
@jim-wang-intel jim-wang-intel mentioned this pull request Jan 5, 2021
Merged
2 tasks
@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 2 times, most recently from fb0dd7a to dd0b41c Compare January 6, 2021 16:41
hutchic
hutchic previously approved these changes Jan 6, 2021
View reviewed changes
Copy link
Member

@hutchic hutchic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

based on the import stats and usage metrics I approve adding lib/pq. Not an explicit approval of the PR just the library itself

@bnevis-i
Copy link
Collaborator

bnevis-i commented Jan 6, 2021

I approve adding lib/pq based on the current vetting metrics.

@jim-wang-intel jim-wang-intel marked this pull request as ready for review January 6, 2021 17:52
lenny-goodell
lenny-goodell requested changes Jan 7, 2021
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't completed review , but wanted to get these comments posted.

cmd/core-command/Dockerfile Outdated Show resolved Hide resolved
cmd/core-command/entrypoint.sh Outdated Show resolved Hide resolved
cmd/core-command/Dockerfile Outdated Show resolved Hide resolved
cmd/core-command/Dockerfile Outdated Show resolved Hide resolved
cmd/core-command/Dockerfile Outdated Show resolved Hide resolved
cmd/security-bootstrapper/Dockerfile Show resolved Hide resolved
cmd/security-bootstrapper/Dockerfile Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Outdated Show resolved Hide resolved
@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 2 times, most recently from 66138a4 to 1fe9c57 Compare January 12, 2021 22:20
lenny-goodell
lenny-goodell requested changes Jan 14, 2021
View reviewed changes
cmd/security-bootstrapper/entrypoint.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/res/configuration.toml Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/kong_wait_install.sh Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Outdated Show resolved Hide resolved
internal/security/bootstrapper/tcp/listener_test.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/tcp/listener_test.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/install/command.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/install/command.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/install/command.go Outdated Show resolved Hide resolved
@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 5 times, most recently from d1b6f8c to 2446ae0 Compare January 15, 2021 22:53
@jim-wang-intel jim-wang-intel force-pushed the security-bootstrapper branch 2 times, most recently from 1b2dc09 to 1f38eab Compare January 19, 2021 22:45
@jim-wang-intel
Copy link
Contributor Author

recheck

lenny-goodell
lenny-goodell requested changes Jan 20, 2021
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Just a few more minor thngs.

cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/redis_wait_install.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint.sh Outdated Show resolved Hide resolved
cmd/security-secretstore-setup/entrypoint.sh Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/listen/command.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/config/config.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/config/types.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/config/types.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/config/types.go Outdated Show resolved Hide resolved
@jim-wang-intel
Copy link
Contributor Author

@lenny-intel please re-review it again, i've addressed all comments + the toml structure we have agreed on over the phone. Thanks!

lenny-goodell
lenny-goodell requested changes Jan 21, 2021
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very close. Just a few minor updates and need to rebase.

internal/security/bootstrapper/command/gate/command.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/gate/command.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/command/gate/command.go Outdated Show resolved Hide resolved
lenny-goodell
lenny-goodell previously approved these changes Jan 21, 2021
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just needs rebasing now.

@jim-wang-intel
feat(security): Add new implementation for security bootstrapping/ins…
401c9bf 
…tallation

Closes: edgexfoundry#2884

The scurity container bootstrapping initiates with security-bootstrapper service, in which it bootstraps
the pre-seeded secrets and credentials.

The security-bootstrapper starts with seeding the vault_wait_install.sh script (contains the dockerize utility)
to be available for other containers that needs to wait for the intended done-listener is issued and connected.

The other containers in the security bootstrapping process currently are:
 - Redis bootstrapping
 - Consul bootstrapping
 - Kong bootstrapping
 - Postgres bootstrapping

The dockerize utility is used on those above containers to wait for that security-bootstrapper
tcp listener done signal and then those container can proceed to start up.

Security-bootstrapper's entrypoint script is also for other edgex-core-services to wait for the intended port to be ready.

The majority of edgex-core-services are converted to alpine-based image to facilitate the ability to use entrypoint scripts.

Also remove unused environment flag: SECRETSTORE_SETUP_DONE_FLAG from secretstore_setup's entrypoint script
That env flag will also needed to be cleaned up on the docker-compose file

All timeout for dockerize wait-timeout in one central place.
Also add the consul local config for disabling the auto check upate as currently consul is not running in SSL mode.

Add lib/pq into Attribution.txt

Run security-bootstrapper executeable as non-root user, $$EDGEX_USER

All env. variables of entrypoint scripts are populated from the env files of compose builder in developer-scripts

Signed-off-by: Jim Wang <[email protected]>
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
7.8% 7.8% Duplication

@jim-wang-intel
Copy link
Contributor Author

Rebased and squashed. Thanks!

@lenny-goodell lenny-goodell merged commit 5dc76a6 into edgexfoundry:master Jan 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lenny-goodell lenny-goodell lenny-goodell approved these changes

@hutchic hutchic hutchic left review comments

@beaufrusetta beaufrusetta Awaiting requested review from beaufrusetta

@cloudxxx8 cloudxxx8 Awaiting requested review from cloudxxx8

@andresrinivasan andresrinivasan Awaiting requested review from andresrinivasan

@bnevis-i bnevis-i Awaiting requested review from bnevis-i

Assignees

@jim-wang-intel jim-wang-intel

Labels
dependencies Pull requests that update a dependency file enhancement New feature or request ireland request for comments security-review Pull requests that require review by a member of the Security WG security-services
Projects
None yet
Milestone
Ireland
Development

Successfully merging this pull request may close these issues.

Create the full-blown bootstrap/control container
5 participants
@jim-wang-intel @codecov-io @bnevis-i @hutchic @lenny-goodell