build(snap): Snap package build for setup consul acl #3223
Conversation
jim-wang-intel
added
enhancement
jim-wang-intel
requested review from
beaufrusetta,
hutchic,
tonyespy,
bnevis-i,
lenny-goodell and
siggiskulason
jim-wang-intel
changed the title
jim-wang-intel
changed the title
jim-wang-intel
force-pushed
the
snap-setup-consul-acl
branch
3 times, most recently
from
f6c5a0d to
0cea5ec
Compare
jim-wang-intel
force-pushed
the
snap-setup-consul-acl
branch
from
0cea5ec to
e16aee3
Compare
There was a problem hiding this comment.
LGTM. This PR meets the requirements of the feature request, as follows:
-
Add token for consul secret engine in snap
I see the token in /var/snap/edgexfoundry/x1/secrets/consul-acl-token/bootstrap_token.json and in the log we get"bootstrap token is written to /var/snap/edgexfoundry/x1/secrets/consul-acl- token/bootstrap_token.json" -
Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
snapcraft.yaml sets ENABLE_REGISTRY_ACL to true and the log shows
"setupRegistryACL successfully done" -
Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
snapcraft.yaml sets SECRETSTORE_CONSULSECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json
and logs shows
"successfully retrieved secretstore management token from /var/snap/edgexfoundry/x1/secrets/edgex-consul/admin/token.json"
-
Add logic for copying the needed configuration toml from security-bootstrapper
- The two files have been copied to
/var/snap/edgexfoundry/x1/config/security-bootstrapper$ ls -alR ./res: total 12 drwxr-xr-x 2 root root 4096 Mar 22 15:11 . drwxr-xr-x 4 root root 4096 Mar 22 15:11 .. -rwxr-xr-x 1 root root 1765 Mar 22 15:11 configuration.toml ./res-bootstrap-redis: total 12 drwxr-xr-x 2 root root 4096 Mar 22 15:11 . drwxr-xr-x 4 root root 4096 Mar 22 15:11 .. -rwxr-xr-x 1 root root 1459 Mar 22 15:11 configuration.toml -
Add consul-bootstrapper one-shot service for setting up Consul's ACL
security-consul-bootstrapper oneshot daemon is defined in snapcraft.yaml.setting ENABLE_REGISTRY_ACL to false results in
"in setup-consul-acl.sh: ENABLE_REGISTRY_ACL = false" "ACL not enabled, skip Consul's ACL setup" -
Add feature flag logic in start_consul.sh shell script
- /var/snap/edgexfoundry/current/consul/config/consul_acl.json has been updated
-
Consul-bootstrapper one-shot service to launch using shell script
setup-consul-acl.sh runs and sets up the registry ACL. Log shows
"in setup-consul-acl.sh: ENABLE_REGISTRY_ACL = true"
Thank you very much, @siggiskulason for your thorough reviews and verification. |
- Add token for consul secret engine in snap - Add env. for ACL enable: ENABLE_REGISTRY_ACL: true - Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH - Add logic for copying the needed configuration toml from security-bootstrapper - Add consul-bootstrapper one-shot service for setting up Consul's ACL - Add feature flag logic in start_consul.sh shell script - Add env. overrides for consul-bootstrapper - Make consul-bootstrapper use shell script as command to run setupRegistryACL Closes: edgexfoundry#3222 Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel
force-pushed
the
snap-setup-consul-acl
branch
from
e16aee3 to
2356c25
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
part of securing consul phase 1 in snap build, change details:
PR Checklist
Please check if your PR fulfills the following requirements:
If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/master/.github/Contributing.md.
What is the current behavior?
N/A
Issue Number: #3222
What is the new behavior?
Add implementation in snap for setting up consul's acl
Does this PR introduce a breaking change?
New Imports
Specific Instructions
Are there any specific instructions or things that should be known prior to reviewing?
snap package build and need the patch updates
Other information