Make chown path in security-secretstore-setup startup.sh parameterizable. #4570
Comments
|
Although it is true that references to /tmp/edgex/secrets are parameterizable almost everywhere else except here, I also want to point out that In other words, is changing this line |
|
Additionally, I would like to comment on the choice of the relocated path: The reason |
|
@rk94655 did the workaround of changing the container mount path take care of the issue? |
|
Hi @bnevis-i The reason for keeping tokens out of /tmp folder is security concerns of the organization. Hence, the tokens are stored in /usr/local/share/secrets inside the container and it is binded with path ~/.local/share/secrets on the host. In future, we will try the volume part, but it would be better if we make it token path configurable in entrypoint.sh also. |
|
@rk94655 I will reopen this then and put the request in the backlog. |
bnevis-i
added
enhancement
bnevis-i
changed the title
|
@rk94655 I would like your feedback on the attached pull request. |
|
Yes this is right now, that we are taking Root of token directory from environment variables. In this way, token path for edgex services inside containers is also configurable. Thanks for the PR @bnevis-i. But, this value can be read from TokenFileProvider.OutputDir of file cmd/security-secretstore-setup/res-file-token-provider/configuration.toml. So, we should remove defining a new variable |
To do this we'd have to parse https://github.com/edgexfoundry/edgex-go/blob/main/cmd/security-secretstore-setup/res-file-token-provider/configuration.yaml#L12 from shell script (possible, now that it is YAML) and also be able to check TOKENFILEPROVIDER_OUTPUTDIR for an override. @lenny-intel Comments? |
Closes #4570 Signed-off-by: Bryon Nevis <[email protected]>
🐞 Bug Report
Affected Services [REQUIRED]
The issue is located in: entrypoint.sh file of security-secretstore-setupIs this a regression? no
no, the issue is from Jakarta version itself NoDescription and Minimal Reproduction [REQUIRED]
entrypoint.sh file of security-secretstore-setup change the ownership of token directory. Attaching here the code snippet from entrypoint.sh file in <> section
<* /tmp/edgex/secrets need to be shared with all other services that need secrets and
*thus change the ownership to EDGEX_USER:EDGEX_GROUP
echo "$(date) Changing ownership of secrets to ${EDGEX_USER}:${EDGEX_GROUP}"
chown -Rh ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets>
I have changed the location of tokens from both host as well as inside containers of all services. But, the issue is secretstore-setup is not changing the ownership of tokens path to "EDGEX_USER" which is 2001. On debugging, it came out that, entrypoint.sh file has hard-coded location of tokens directory. As a result other services like core-metadata is not able to read token from new path due to permission issues
Logs of core-metadata
level=INFO ts=2023-05-17T07:44:32.967662669Z app=core-metadata source=secret.go:59 msg="Reading secret store configuration and authentication token"
level=WARN ts=2023-05-17T07:44:32.967816071Z app=core-metadata source=secret.go:96 msg="Retryable failure while creating SecretClient: open /usr/local/share/secrets/core-metadata/secrets-token.json: permission denied"
🔥 Exception or Error
🌍 Your Environment
Deployment Environment: Oracle Linux 9
EdgeX Version [REQUIRED]: Jakarta Version
Anything else relevant?
Reference https://github.com/edgexfoundry/edgex-go/blob/main/cmd/security-secretstore-setup/entrypoint.sh
The text was updated successfully, but these errors were encountered: