Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Secure Consul Ph. 1] Snap: Enable and Bootstrap Consul ACL to configure Vault's Consul secret engine Acces #3222

Closed
jim-wang-intel opened this issue Mar 4, 2021 · 0 comments · Fixed by #3223
Closed

[Secure Consul Ph. 1] Snap: Enable and Bootstrap Consul ACL to configure Vault's Consul secret engine Acces #3222

jim-wang-intel opened this issue Mar 4, 2021 · 0 comments · Fixed by #3223
Assignees
@tonyespy @jim-wang-intel
Labels
3-high priority denoting release-blocking issues enhancement New feature or request ireland security-services snap Snap packaging
Milestone
Ireland

Comments

@jim-wang-intel
Copy link
Contributor

🚀 Feature Request

Relevant Package

This feature request is for Consul's bootstrapper in SNAP. The is the similar feature to #3156 but within snap packging build itself.

Description

Consul to be enabled with persistent agent tokens and a default "allow" policy. Bootstrap Consul ACL and save the Consul's bootstrap management token into file.

Describe the solution you'd like

  1. Create Consul's default allow policy with persistent agent token turned on
  2. Bootstrap Consul's ACL and save the returned Consul bootstrap management token into file for later use.
  3. Use both of the pre-stored special Vault token in the temp. volume mount and Consul bootstrap management token to configure the Vault's Consul secret engine access.
  4. Add logic to check whether Consul's ACL has been bootstrapped already because it will produce an error if we try to bootstrap Consul's ACL again in the 2nd time or later.

Describe alternatives you've considered

Have you considered any alternative solutions or workarounds?
@jim-wang-intel jim-wang-intel added enhancement New feature or request snap Snap packaging security-services 3-high priority denoting release-blocking issues ireland labels Mar 4, 2021
@jim-wang-intel jim-wang-intel added this to the Ireland milestone Mar 4, 2021
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 4, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
33c467f 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
@jim-wang-intel jim-wang-intel mentioned this issue Mar 4, 2021
Merged
5 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 4, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
7d48262 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 5, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
f6c5a0d 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 8, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
0cea5ec 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script
- Add env. overrides for consul-bootstrapper
- Make consul-bootstrapper use shell script as command to run setupRegistryACL

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
@hutchic hutchic linked a pull request Mar 10, 2021 that will close this issue
build(snap): Snap package build for setup consul acl #3223
Merged
5 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 11, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
e16aee3 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script
- Add env. overrides for consul-bootstrapper
- Make consul-bootstrapper use shell script as command to run setupRegistryACL

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 22, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL
2356c25 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script
- Add env. overrides for consul-bootstrapper
- Make consul-bootstrapper use shell script as command to run setupRegistryACL

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit that referenced this issue Mar 22, 2021
@jim-wang-intel
build(snap): Add implementation for set up Consul ACL (#3223)
eeaee6b 
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script
- Add env. overrides for consul-bootstrapper
- Make consul-bootstrapper use shell script as command to run setupRegistryACL

Closes: #3222

Signed-off-by: Jim Wang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tonyespy tonyespy

@jim-wang-intel jim-wang-intel

Labels
3-high priority denoting release-blocking issues enhancement New feature or request ireland security-services snap Snap packaging
Projects
None yet
Milestone
Ireland
Development

Successfully merging a pull request may close this issue.

build(snap): Snap package build for setup consul acl jim-wang-intel/edgex-go
2 participants
@tonyespy @jim-wang-intel