Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): Create a Vault mgmt token for Consul Secrets API Operations #3192

Merged
merged 3 commits into from
Feb 26, 2021
Merged

feat(security): Create a Vault mgmt token for Consul Secrets API Operations #3192

merged 3 commits into from
Feb 26, 2021

Conversation

jim-wang-intel
Copy link
Contributor

@jim-wang-intel jim-wang-intel commented Feb 24, 2021
edited
Loading

Part of Phase 1 Securing Consul stories: Create a Vault token to configure consul access

Changes in secretstore-setup:

  • add token file writer implementation for creating and writing Vault's Consul secrets admin token
  • add Consul ACL feature flag "ENABLE_REGISTRY_ACL"
  • add configuration setting for ConsulSecretAdminTokenPath for specifying token file location
  • refactor TokenMaintenance to share code with token file writer's implementation

Closes: #3155

Signed-off-by: Jim Wang [email protected]

PR Checklist

Please check if your PR fulfills the following requirements:

  • [x ] Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/master/.github/Contributing.md.

What is the current behavior?

N/A

Issue Number: #3155

What is the new behavior?

New Vault token created for special purpose of management Consul Secrets APIs operations policy: configure access / create update roles later on. This token will be later used by Consul's bootstrapper.

Does this PR introduce a breaking change?

  • Yes
  • [x ] No

New Imports

  • Yes
  • [x ] No

Specific Instructions

Are there any specific instructions or things that should be known prior to reviewing?

Other information

To verify this locally, one can git clone this PR and build a dev version of docker_secretstore_setup and then add the following environment variables to docker-compose file of secretstore-setup:

 environment:
      ENABLE_REGISTRY_ACL: "true"

so that the ACL feature is turned on. Run make run dev and then observe the following docker logs from edgex-secretstore-setup:
docker logs edgex-secretstore-setup | grep "edgex-consul/admin/token"


jim@jim-NUC7i5DNHE:~/go/src/github.com/edgexfoundry/edgex-compose/compose-builder$ docker logs edgex-secretstore-setup | grep "edgex-consul/admin/token"
level=INFO ts=2021-02-24T22:47:57.466345924Z app=edgex-security-secretstore-setup source=tokenfilewriter.go:110 msg="token's written to /tmp/edgex/secrets/edgex-consul/admin/token.json"
jim@jim-NUC7i5DNHE:~/go/src/github.com/edgexfoundry/edgex-compose/compose-builder$

And also list the file, too:
$ sudo ls -al /tmp/edgex/secrets/edgex-consul/admin/

[sudo] password for jim: 
total 12
drwx------ 2 2002 2001 4096 Feb 24 12:56 .
drwx------ 3 2002 2001 4096 Feb 24 12:56 ..
-rw------- 1 2002 2001  536 Feb 24 15:47 token.json

@jim-wang-intel jim-wang-intel added enhancement New feature or request security-services 3-high priority denoting release-blocking issues ireland labels Feb 24, 2021
@jim-wang-intel jim-wang-intel added this to the Ireland milestone Feb 24, 2021
@jim-wang-intel jim-wang-intel self-assigned this Feb 24, 2021
@jim-wang-intel jim-wang-intel force-pushed the create-special-vault-token branch 2 times, most recently from 123b826 to 5c6281c Compare February 25, 2021 14:45
bnevis-i
bnevis-i previously requested changes Feb 25, 2021
View reviewed changes
cmd/security-secretstore-setup/res/configuration.toml Show resolved Hide resolved
internal/security/secretstore/constants.go Show resolved Hide resolved
internal/security/secretstore/init.go Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter.go Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter.go Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter.go Outdated Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter.go Outdated Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter_test.go Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter_test.go Outdated Show resolved Hide resolved
internal/security/secretstore/tokenfilewriter/tokenfilewriter_test.go Show resolved Hide resolved
@jim-wang-intel jim-wang-intel force-pushed the create-special-vault-token branch from 5c6281c to 8169d6f Compare February 26, 2021 01:09
@jim-wang-intel
feat(security): Create a Vault mgmt token for Consul Secrets Operations
7656175 
Changes in secretstore-setup:
 - add token file writer implementation for creating and writing Vault's Consul secrets admin token
 - add Consul ACL feature flag "ENABLE_REGISTRY_ACL"
 - add configuration setting for ConsulSecretAdminTokenPath for specifying token file location
 - refactor TokenMaintenance to share code with token file writer's implementation

Closes: edgexfoundry#3155

Signed-off-by: Jim Wang <[email protected]>
@jim-wang-intel
fix: Address PR feedbacks
e1d67c5 
Address feedbacks on tokenfile writer

Signed-off-by: Jim Wang <[email protected]>
@bnevis-i bnevis-i dismissed their stale review February 26, 2021 17:31

Withdrawing review.

@jim-wang-intel
fix: address PR comments
ee855b8 
PR comments addressed

Signed-off-by: Jim Wang <[email protected]>
@jim-wang-intel jim-wang-intel force-pushed the create-special-vault-token branch from 8169d6f to ee855b8 Compare February 26, 2021 19:05
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

lenny-goodell
lenny-goodell approved these changes Feb 26, 2021
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lenny-goodell lenny-goodell merged commit 257616a into edgexfoundry:master Feb 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bnevis-i bnevis-i bnevis-i left review comments

@ernestojeda ernestojeda ernestojeda left review comments

@lenny-goodell lenny-goodell lenny-goodell approved these changes

@beaufrusetta beaufrusetta Awaiting requested review from beaufrusetta

@hutchic hutchic Awaiting requested review from hutchic

@tonyespy tonyespy Awaiting requested review from tonyespy

@cloudxxx8 cloudxxx8 Awaiting requested review from cloudxxx8

Assignees

@jim-wang-intel jim-wang-intel

Labels
3-high priority denoting release-blocking issues enhancement New feature or request ireland security-services
Projects
None yet
Milestone
Ireland
Development

Successfully merging this pull request may close these issues.

[Secure Consul Ph. 1] Implement the token creation of specific Vault token for Consul's ACL bootstrapping
4 participants
@jim-wang-intel @ernestojeda @bnevis-i @lenny-goodell