From 57850e1b29fccbe34354c9cc3a939b56a075e810 Mon Sep 17 00:00:00 2001 From: Leonard Goodell Date: Sat, 14 Jan 2023 12:38:02 -0700 Subject: [PATCH] refactor!: Replace SecretStore service config with default values and overrides BREAKING CHANGE: SecretStore config no longer in service configuration file. Changes must be done via use of environment variable overrides of default values Signed-off-by: Leonard Goodell --- cmd/core-command/res/configuration.toml | 14 -------- cmd/core-data/res/configuration.toml | 20 ------------ cmd/core-metadata/res/configuration.toml | 20 ------------ .../configuration.toml | 14 +------- .../res-bootstrap-redis/configuration.toml | 12 ------- .../res/configuration.toml | 20 ------------ .../res/configuration.toml | 22 ------------- cmd/support-scheduler/res/configuration.toml | 20 ------------ go.mod | 4 +-- go.sum | 8 ++--- internal/core/command/config/config.go | 14 ++++---- internal/core/data/config/config.go | 10 +++--- internal/core/metadata/config/config.go | 10 +++--- internal/pkg/controller/http/secret_test.go | 14 ++------ .../bootstrapper/command/setupacl/command.go | 22 +++++++++---- .../setupacl/stubregistryserver_test.go | 12 ++++--- .../security/bootstrapper/config/config.go | 5 ++- .../bootstrapper/mosquitto/config/config.go | 5 +-- .../bootstrapper/redis/config/config.go | 5 +-- internal/security/proxy/config/config.go | 5 +-- internal/security/proxy/init.go | 13 ++++++-- .../spiffetokenprovider/config/config.go | 22 ++++++------- internal/security/spiffetokenprovider/init.go | 32 ++++++++++++------- .../support/notifications/config/config.go | 24 +++++++------- internal/support/scheduler/config/config.go | 10 +++--- 25 files changed, 108 insertions(+), 249 deletions(-) diff --git a/cmd/core-command/res/configuration.toml b/cmd/core-command/res/configuration.toml index aeccce0913..9bac2fcc6e 100644 --- a/cmd/core-command/res/configuration.toml +++ b/cmd/core-command/res/configuration.toml @@ -105,17 +105,3 @@ Type = "consul" CommandResponseTopicPrefix = "edgex/command/response" # for publishing responses back to 3rd party systems /// will be added to this publish topic prefix QueryRequestTopic = "edgex/commandquery/request/#" # for subscribing to 3rd party command query request QueryResponseTopic = "edgex/commandquery/response" # for publishing responses back to 3rd party systems - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -# Use the core-meta data secrets due to core-command using core-meta-data's database for persistance. -Path = "core-command/" -TokenFile = "/tmp/edgex/secrets/core-command/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - diff --git a/cmd/core-data/res/configuration.toml b/cmd/core-data/res/configuration.toml index 8c4d19523d..4fe733546c 100644 --- a/cmd/core-data/res/configuration.toml +++ b/cmd/core-data/res/configuration.toml @@ -84,23 +84,3 @@ SecretName = "redisdb" Deliver = "new" DefaultPubRetryAttempts = "2" Subject = "edgex/#" # Required for NATS Jetstram only for stream autoprovsioning - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -Path = "core-data/" -TokenFile = "/tmp/edgex/secrets/core-data/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [SecretStore.RuntimeTokenProvider] - Enabled = false - Protocol = "https" - Host = "localhost" - Port = 59841 - TrustDomain = "edgexfoundry.org" - EndpointSocket = "/tmp/edgex/secrets/spiffe/public/api.sock" - RequiredSecrets = "redisdb" diff --git a/cmd/core-metadata/res/configuration.toml b/cmd/core-metadata/res/configuration.toml index 02b4efd11d..02403cd690 100644 --- a/cmd/core-metadata/res/configuration.toml +++ b/cmd/core-metadata/res/configuration.toml @@ -99,23 +99,3 @@ SecretName = "redisdb" Deliver = "new" DefaultPubRetryAttempts = "2" Subject = "edgex/#" # Required for NATS Jetstram only for stream autoprovsioning - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -Path = "core-metadata/" -TokenFile = "/tmp/edgex/secrets/core-metadata/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [SecretStore.RuntimeTokenProvider] - Enabled = false - Protocol = "https" - Host = "localhost" - Port = 59841 - TrustDomain = "edgexfoundry.org" - EndpointSocket = "/tmp/edgex/secrets/spiffe/public/api.sock" - RequiredSecrets = "redisdb" diff --git a/cmd/security-bootstrapper/res-bootstrap-mosquitto/configuration.toml b/cmd/security-bootstrapper/res-bootstrap-mosquitto/configuration.toml index 2312d7945f..014dfee48d 100644 --- a/cmd/security-bootstrapper/res-bootstrap-mosquitto/configuration.toml +++ b/cmd/security-bootstrapper/res-bootstrap-mosquitto/configuration.toml @@ -13,19 +13,7 @@ # ################################################################################# -LogLevel = "DEBUG" - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" ## Override in environment variables, if necessary -Port = 8200 -Path = "security-bootstrapper-messagebus/" -TokenFile = "/tmp/edgex/secrets/security-bootstrapper-messagebus/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" +LogLevel = "INFO" [SecureMosquitto] Port = 1883 diff --git a/cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml b/cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml index 66bc26c40d..55b9919c13 100644 --- a/cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml +++ b/cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml @@ -15,18 +15,6 @@ LogLevel = "INFO" -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" ## Override in environment variables, if necessary -Port = 8200 -Path = "security-bootstrapper-redis/" -TokenFile = "/tmp/edgex/secrets/security-bootstrapper-redis/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [Databases] [Databases.Primary] Host = "localhost" diff --git a/cmd/security-spiffe-token-provider/res/configuration.toml b/cmd/security-spiffe-token-provider/res/configuration.toml index d560bf55e6..217ea35161 100644 --- a/cmd/security-spiffe-token-provider/res/configuration.toml +++ b/cmd/security-spiffe-token-provider/res/configuration.toml @@ -39,26 +39,6 @@ Type = "consul" Timeout = 5000 Type = "redisdb" -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -Path = "security-spiffe-token-provider/" -TokenFile = "/tmp/edgex/secrets/security-spiffe-token-provider/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [SecretStore.RuntimeTokenProvider] - Enabled = false # This is the implementation of RuntimeTokenProvider; must always be false! - Protocol = "" - Host = "" - Port = 0 - TrustDomain = "" - EndpointSocket = "" - RequiredSecrets = "" - [SPIFFE] EndpointSocket = "/tmp/edgex/secrets/spiffe/public/api.sock" TrustDomain = "edgexfoundry.org" diff --git a/cmd/support-notifications/res/configuration.toml b/cmd/support-notifications/res/configuration.toml index fec62fd83f..4b7f56e0d0 100644 --- a/cmd/support-notifications/res/configuration.toml +++ b/cmd/support-notifications/res/configuration.toml @@ -95,25 +95,3 @@ SecretName = "redisdb" Deliver = "new" DefaultPubRetryAttempts = "2" Subject = "edgex/#" # Required for NATS Jetstram only for stream autoprovsioning - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -Path = "support-notifications/" -TokenFile = "/tmp/edgex/secrets/support-notifications/secrets-token.json" -RootCaCertPath = "" -ServerName = "" -SecretsFile = "" -DisableScrubSecretsFile = false - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [SecretStore.RuntimeTokenProvider] - Enabled = false - Protocol = "https" - Host = "localhost" - Port = 59841 - TrustDomain = "edgexfoundry.org" - EndpointSocket = "/tmp/edgex/secrets/spiffe/public/api.sock" - RequiredSecrets = "redisdb" diff --git a/cmd/support-scheduler/res/configuration.toml b/cmd/support-scheduler/res/configuration.toml index 5dfb8c47a2..6a2e1043d4 100644 --- a/cmd/support-scheduler/res/configuration.toml +++ b/cmd/support-scheduler/res/configuration.toml @@ -100,23 +100,3 @@ SecretName = "redisdb" Deliver = "new" DefaultPubRetryAttempts = "2" Subject = "edgex/#" # Required for NATS Jetstram only for stream autoprovsioning - -[SecretStore] -Type = "vault" -Protocol = "http" -Host = "localhost" -Port = 8200 -Path = "support-scheduler/" -TokenFile = "/tmp/edgex/secrets/support-scheduler/secrets-token.json" -RootCaCertPath = "" -ServerName = "" - [SecretStore.Authentication] - AuthType = "X-Vault-Token" - [SecretStore.RuntimeTokenProvider] - Enabled = false - Protocol = "https" - Host = "localhost" - Port = 59841 - TrustDomain = "edgexfoundry.org" - EndpointSocket = "/tmp/edgex/secrets/spiffe/public/api.sock" - RequiredSecrets = "redisdb" diff --git a/go.mod b/go.mod index 99ad815c13..2bc047d97b 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/edgexfoundry/edgex-go require ( bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690 github.com/eclipse/paho.mqtt.golang v1.4.2 - github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.9 - github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.3 + github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.11 + github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.4 github.com/edgexfoundry/go-mod-messaging/v3 v3.0.0-dev.4 github.com/edgexfoundry/go-mod-secrets/v3 v3.0.0-dev.2 github.com/fxamacker/cbor/v2 v2.4.0 diff --git a/go.sum b/go.sum index ad1ca62cf0..88aa53d33c 100644 --- a/go.sum +++ b/go.sum @@ -28,12 +28,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/eclipse/paho.mqtt.golang v1.4.2 h1:66wOzfUHSSI1zamx7jR6yMEI5EuHnT1G6rNA5PM12m4= github.com/eclipse/paho.mqtt.golang v1.4.2/go.mod h1:JGt0RsEwEX+Xa/agj90YJ9d9DH2b7upDZMK9HRbFvCA= -github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.9 h1:YQRmArf08iSHOJ1xIXMchxfsbeguUPbG1Q1E0IVAUZA= -github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.9/go.mod h1:lJI+SO9B3dWOn/UfJ90fYQVR4wYddjEkvmAJqt/WdxA= +github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.11 h1:PHkcIC9hwOG2XyumsdO4hfavzd96GHs7kJZE8Ih9/cY= +github.com/edgexfoundry/go-mod-bootstrap/v3 v3.0.0-dev.11/go.mod h1:UjrW9GZ5UjKZLF1EzEtAjvrgOvgQz3FGyVyAAX+fXW4= github.com/edgexfoundry/go-mod-configuration/v3 v3.0.0-dev.2 h1:xp5MsP+qf/fuJxy8fT7k1N+c4j4C6w04qMCBXm6id7o= github.com/edgexfoundry/go-mod-configuration/v3 v3.0.0-dev.2/go.mod h1:1Vv4uWAo6r7k6jUlqVJW8JOL6YKVBc6sRL8Al3DrMck= -github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.3 h1:Ia/y/w9w3SmXqIqJ+Vjmv6QrP49YJDpTY6262C1Jrzs= -github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.3/go.mod h1:7RwSq896VqelvSU7zYKs2tpZhgELVFECkiGf6XGLKfQ= +github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.4 h1:J1G1Fd0wKsr2FNqansSOvfErvUrYanR/9tKbp0VpcRo= +github.com/edgexfoundry/go-mod-core-contracts/v3 v3.0.0-dev.4/go.mod h1:7RwSq896VqelvSU7zYKs2tpZhgELVFECkiGf6XGLKfQ= github.com/edgexfoundry/go-mod-messaging/v3 v3.0.0-dev.4 h1:swPZOjoQ/IUIWSJpZCmQENtP/plFRx5tgiCEZgnfxFU= github.com/edgexfoundry/go-mod-messaging/v3 v3.0.0-dev.4/go.mod h1:8pxuYvh2zcq1GuKqmk1MAuH1yuN40iOMmL0g2myIfwk= github.com/edgexfoundry/go-mod-registry/v3 v3.0.0-dev.3 h1:QgZF9f70Cwpvkjw3tP1aiVGHc+yNFJNzW6hO8pDs3fg= diff --git a/internal/core/command/config/config.go b/internal/core/command/config/config.go index 5df2e79c85..6395640b8d 100644 --- a/internal/core/command/config/config.go +++ b/internal/core/command/config/config.go @@ -21,13 +21,12 @@ import ( // ConfigurationStruct contains the configuration properties for the core-command service. type ConfigurationStruct struct { - Writable WritableInfo - Clients map[string]bootstrapConfig.ClientInfo - Databases map[string]bootstrapConfig.Database - Registry bootstrapConfig.RegistryInfo - Service bootstrapConfig.ServiceInfo - MessageBus MessageBus - SecretStore bootstrapConfig.SecretStoreInfo + Writable WritableInfo + Clients map[string]bootstrapConfig.ClientInfo + Databases map[string]bootstrapConfig.Database + Registry bootstrapConfig.RegistryInfo + Service bootstrapConfig.ServiceInfo + MessageBus MessageBus } // WritableInfo contains configuration properties that can be updated and applied without restarting the service. @@ -81,7 +80,6 @@ func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfigurat Clients: c.Clients, Service: c.Service, Registry: c.Registry, - SecretStore: c.SecretStore, MessageBus: c.MessageBus.Internal, ExternalMQTT: c.MessageBus.External, } diff --git a/internal/core/data/config/config.go b/internal/core/data/config/config.go index e241965285..2c25a9eed8 100644 --- a/internal/core/data/config/config.go +++ b/internal/core/data/config/config.go @@ -25,7 +25,6 @@ type ConfigurationStruct struct { Databases map[string]bootstrapConfig.Database Registry bootstrapConfig.RegistryInfo Service bootstrapConfig.ServiceInfo - SecretStore bootstrapConfig.SecretStoreInfo MaxEventSize int64 } @@ -73,11 +72,10 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change return bootstrapConfig.BootstrapConfiguration{ - Clients: c.Clients, - Service: c.Service, - Registry: c.Registry, - SecretStore: c.SecretStore, - MessageBus: c.MessageBus, + Clients: c.Clients, + Service: c.Service, + Registry: c.Registry, + MessageBus: c.MessageBus, } } diff --git a/internal/core/metadata/config/config.go b/internal/core/metadata/config/config.go index 35a21a4c15..8e8f4bda67 100644 --- a/internal/core/metadata/config/config.go +++ b/internal/core/metadata/config/config.go @@ -27,7 +27,6 @@ type ConfigurationStruct struct { Registry bootstrapConfig.RegistryInfo Service bootstrapConfig.ServiceInfo MessageBus bootstrapConfig.MessageBusInfo - SecretStore bootstrapConfig.SecretStoreInfo UoM UoM } @@ -99,11 +98,10 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change return bootstrapConfig.BootstrapConfiguration{ - Clients: c.Clients, - Service: c.Service, - Registry: c.Registry, - SecretStore: c.SecretStore, - MessageBus: c.MessageBus, + Clients: c.Clients, + Service: c.Service, + Registry: c.Registry, + MessageBus: c.MessageBus, } } diff --git a/internal/pkg/controller/http/secret_test.go b/internal/pkg/controller/http/secret_test.go index 49bf789241..27fe5e2d84 100644 --- a/internal/pkg/controller/http/secret_test.go +++ b/internal/pkg/controller/http/secret_test.go @@ -7,17 +7,17 @@ package http import ( "encoding/json" - "github.com/google/uuid" "net/http" "net/http/httptest" "strings" "testing" + "github.com/google/uuid" + "github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/config" "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/container" "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/interfaces/mocks" - bootstrapConfig "github.com/edgexfoundry/go-mod-bootstrap/v3/config" "github.com/edgexfoundry/go-mod-bootstrap/v3/di" "github.com/edgexfoundry/go-mod-core-contracts/v3/clients/logger" "github.com/edgexfoundry/go-mod-core-contracts/v3/common" @@ -113,15 +113,7 @@ func TestAddSecret(t *testing.T) { func mockDic() *di.Container { return di.NewContainer(di.ServiceConstructorMap{ container.ConfigurationInterfaceName: func(get di.Get) interface{} { - return &config.ConfigurationStruct{ - SecretStore: bootstrapConfig.SecretStoreInfo{ - Type: "vault", - Host: "localhost", - Port: 8200, - Path: "/v1/secret/edgex/device-simple/", - Protocol: "http", - }, - } + return &config.ConfigurationStruct{} }, container.LoggingClientInterfaceName: func(get di.Get) interface{} { return logger.NewMockClient() diff --git a/internal/security/bootstrapper/command/setupacl/command.go b/internal/security/bootstrapper/command/setupacl/command.go index c217c2c6d2..2dcf98981c 100644 --- a/internal/security/bootstrapper/command/setupacl/command.go +++ b/internal/security/bootstrapper/command/setupacl/command.go @@ -36,6 +36,9 @@ import ( "github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/config" "github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/helper" "github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/interfaces" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/environment" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret" + bootstrapConfig "github.com/edgexfoundry/go-mod-bootstrap/v3/config" "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/startup" "github.com/edgexfoundry/go-mod-core-contracts/v3/clients/logger" @@ -63,9 +66,10 @@ const ( ) type cmd struct { - loggingClient logger.LoggingClient - client internal.HttpCaller - configuration *config.ConfigurationStruct + loggingClient logger.LoggingClient + client internal.HttpCaller + configuration *config.ConfigurationStruct + secretStoreinfo *bootstrapConfig.SecretStoreInfo // internal state retryTimeout time.Duration @@ -96,6 +100,12 @@ func NewCommand( return nil, fmt.Errorf("Unable to parse command: %s: %w", strings.Join(args, " "), err) } + envVars := environment.NewVariables(lc) + cmd.secretStoreinfo, err = secret.BuildSecretStoreConfig(common.SecurityBootstrapperKey, envVars, lc) + if err != nil { + return nil, fmt.Errorf("unable to create SecretStore configuration %v", err) + } + return &cmd, nil } @@ -683,9 +693,9 @@ func (c *cmd) writeSentinelFile() error { func (c *cmd) createSecretStoreClient(secretConfig *config.ConfigurationStruct) (secrets.SecretStoreClient, error) { clientConfig := types.SecretConfig{ Type: secrets.Vault, - Host: secretConfig.SecretStore.Host, - Port: secretConfig.SecretStore.Port, - Protocol: secretConfig.SecretStore.Protocol, + Host: c.secretStoreinfo.Host, + Port: c.secretStoreinfo.Port, + Protocol: c.secretStoreinfo.Protocol, } client, err := secrets.NewSecretStoreClient(clientConfig, c.loggingClient, c.client) diff --git a/internal/security/bootstrapper/command/setupacl/stubregistryserver_test.go b/internal/security/bootstrapper/command/setupacl/stubregistryserver_test.go index 2be15d8a6b..b16f92297b 100644 --- a/internal/security/bootstrapper/command/setupacl/stubregistryserver_test.go +++ b/internal/security/bootstrapper/command/setupacl/stubregistryserver_test.go @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright 2021 Intel Corporation + * Copyright 2023 Intel Corporation * * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except * in compliance with the License. You may obtain a copy of the License at @@ -22,6 +22,7 @@ import ( "net/http" "net/http/httptest" "net/url" + "os" "path" "strconv" "testing" @@ -361,10 +362,11 @@ func (registry *registryTestServer) getRegistryServerConf(t *testing.T) *config. registryTestConf.StageGate.WaitFor.Timeout = "1m" registryTestConf.StageGate.WaitFor.RetryInterval = "1s" // for the sake of simplicity, we use the same test server as the secret store server - registryTestConf.SecretStore.Type = "vault" - registryTestConf.SecretStore.Protocol = tsURL.Scheme - registryTestConf.SecretStore.Host = tsURL.Hostname() - registryTestConf.SecretStore.Port = portNum + os.Setenv("SECRETSTORE_PROTOCOL", tsURL.Scheme) + os.Setenv("SECRETSTORE_HOST", tsURL.Hostname()) + os.Setenv("SECRETSTORE_PORT", tsURL.Port()) + registry.server = testSrv return registryTestConf + } diff --git a/internal/security/bootstrapper/config/config.go b/internal/security/bootstrapper/config/config.go index b36e21bbee..3a7dbd0b7b 100644 --- a/internal/security/bootstrapper/config/config.go +++ b/internal/security/bootstrapper/config/config.go @@ -22,9 +22,8 @@ import ( ) type ConfigurationStruct struct { - LogLevel string - StageGate StageGateInfo - SecretStore bootstrapConfig.SecretStoreInfo + LogLevel string + StageGate StageGateInfo } // UpdateFromRaw converts configuration received from the registry to a service-specific configuration struct which is diff --git a/internal/security/bootstrapper/mosquitto/config/config.go b/internal/security/bootstrapper/mosquitto/config/config.go index 16bf0376eb..919637844b 100644 --- a/internal/security/bootstrapper/mosquitto/config/config.go +++ b/internal/security/bootstrapper/mosquitto/config/config.go @@ -23,7 +23,6 @@ import ( // the runtime extension of the static configuration. type ConfigurationStruct struct { LogLevel string - SecretStore bootstrapConfig.SecretStoreInfo SecureMosquitto SecureMosquittoInfo } type SecureMosquittoInfo struct { @@ -61,9 +60,7 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo // bootstrapConfig.BootstrapConfiguration struct contained within ConfigurationStruct). func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change - return bootstrapConfig.BootstrapConfiguration{ - SecretStore: c.SecretStore, - } + return bootstrapConfig.BootstrapConfiguration{} } // GetLogLevel returns the current ConfigurationStruct's log level. diff --git a/internal/security/bootstrapper/redis/config/config.go b/internal/security/bootstrapper/redis/config/config.go index c09e444707..c931df30f2 100644 --- a/internal/security/bootstrapper/redis/config/config.go +++ b/internal/security/bootstrapper/redis/config/config.go @@ -23,7 +23,6 @@ import ( // the runtime extension of the static configuration. type ConfigurationStruct struct { LogLevel string - SecretStore bootstrapConfig.SecretStoreInfo Databases map[string]bootstrapConfig.Database DatabaseConfig DatabaseBootstrapConfigInfo } @@ -62,9 +61,7 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo // bootstrapConfig.BootstrapConfiguration struct contained within ConfigurationStruct). func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change - return bootstrapConfig.BootstrapConfiguration{ - SecretStore: c.SecretStore, - } + return bootstrapConfig.BootstrapConfiguration{} } // GetLogLevel returns the current ConfigurationStruct's log level. diff --git a/internal/security/proxy/config/config.go b/internal/security/proxy/config/config.go index 308842ce67..8db4867452 100644 --- a/internal/security/proxy/config/config.go +++ b/internal/security/proxy/config/config.go @@ -34,7 +34,6 @@ type ConfigurationStruct struct { KongURL KongUrlInfo KongAuth KongAuthInfo CORSConfiguration bootstrapConfig.CORSConfigurationInfo - SecretStore bootstrapConfig.SecretStoreInfo Routes map[string]models.KongService } @@ -103,9 +102,7 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(_ interface{}) bool { // GetBootstrap returns the configuration elements required by the bootstrap. // Not needed for this service, so return empty struct func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { - return bootstrapConfig.BootstrapConfiguration{ - SecretStore: c.SecretStore, - } + return bootstrapConfig.BootstrapConfiguration{} } // GetLogLevel returns the current ConfigurationStruct's log level. diff --git a/internal/security/proxy/init.go b/internal/security/proxy/init.go index 67da9b5c67..79126bcfa7 100644 --- a/internal/security/proxy/init.go +++ b/internal/security/proxy/init.go @@ -18,11 +18,15 @@ package proxy import ( "context" + "fmt" "os" "sync" "github.com/edgexfoundry/edgex-go/internal" "github.com/edgexfoundry/edgex-go/internal/security/proxy/container" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/environment" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret" + "github.com/edgexfoundry/go-mod-core-contracts/v3/common" bootstrapContainer "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/container" "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/startup" @@ -65,12 +69,17 @@ func (b *Bootstrap) BootstrapHandler(_ context.Context, _ *sync.WaitGroup, _ sta lc := bootstrapContainer.LoggingClientFrom(dic.Get) configuration := container.ConfigurationFrom(dic.Get) + secretStoreConfig, err := secret.BuildSecretStoreConfig(common.SecurityProxySetupServiceKey, environment.NewVariables(lc), lc) + if err != nil { + b.haltIfError(lc, fmt.Errorf("unable to get SecretStore configuration: %v", err)) + } + var req internal.HttpCaller - if len(configuration.SecretStore.RootCaCertPath) > 0 { + if len(secretStoreConfig.RootCaCertPath) > 0 { req = NewRequestor( b.insecureSkipVerify, configuration.RequestTimeout, - configuration.SecretStore.RootCaCertPath, + secretStoreConfig.RootCaCertPath, lc) } else { req = NewRequestor( diff --git a/internal/security/spiffetokenprovider/config/config.go b/internal/security/spiffetokenprovider/config/config.go index 1d47b900fb..df25c1c6cb 100644 --- a/internal/security/spiffetokenprovider/config/config.go +++ b/internal/security/spiffetokenprovider/config/config.go @@ -28,14 +28,13 @@ type SpiffeInfo struct { } type ConfigurationStruct struct { - Writable WritableInfo - MessageBus bootstrapConfig.MessageBusInfo - Clients map[string]bootstrapConfig.ClientInfo - Databases map[string]bootstrapConfig.Database - Registry bootstrapConfig.RegistryInfo - Service bootstrapConfig.ServiceInfo - SecretStore bootstrapConfig.SecretStoreInfo - Spiffe SpiffeInfo + Writable WritableInfo + MessageBus bootstrapConfig.MessageBusInfo + Clients map[string]bootstrapConfig.ClientInfo + Databases map[string]bootstrapConfig.Database + Registry bootstrapConfig.RegistryInfo + Service bootstrapConfig.ServiceInfo + Spiffe SpiffeInfo } type WritableInfo struct { @@ -81,10 +80,9 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change return bootstrapConfig.BootstrapConfiguration{ - Clients: c.Clients, - Service: c.Service, - Registry: c.Registry, - SecretStore: c.SecretStore, + Clients: c.Clients, + Service: c.Service, + Registry: c.Registry, } } diff --git a/internal/security/spiffetokenprovider/init.go b/internal/security/spiffetokenprovider/init.go index 00c1ea96fb..7ba6224474 100644 --- a/internal/security/spiffetokenprovider/init.go +++ b/internal/security/spiffetokenprovider/init.go @@ -30,6 +30,9 @@ import ( "sync" "time" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/environment" + "github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret" + "github.com/edgexfoundry/go-mod-core-contracts/v3/common" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" "github.com/spiffe/go-spiffe/v2/workloadapi" @@ -59,6 +62,7 @@ const ( type Bootstrap struct { validKnownSecrets map[string]bool + secretStoreConfig *bootstrapConfig.SecretStoreInfo } func NewBootstrap() *Bootstrap { @@ -69,29 +73,34 @@ func NewBootstrap() *Bootstrap { func (b *Bootstrap) getSecretStoreClient(dic *di.Container) (secrets.SecretStoreClient, error) { lc := bootstrapContainer.LoggingClientFrom(dic.Get) - configuration := container.ConfigurationFrom(dic.Get) - secretStoreConfig := configuration.SecretStore + var err error + + envVars := environment.NewVariables(lc) + b.secretStoreConfig, err = secret.BuildSecretStoreConfig(common.SecuritySpiffeTokenProviderKey, envVars, lc) + if err != nil { + return nil, fmt.Errorf("unable to create SecretStore configuration %v", err) + } fileOpener := fileioperformer.NewDefaultFileIoPerformer() var httpCaller internal.HttpCaller - if caFilePath := secretStoreConfig.RootCaCertPath; caFilePath != "" { + if caFilePath := b.secretStoreConfig.RootCaCertPath; caFilePath != "" { lc.Info("using certificate verification for secret store connection") caReader, err := fileOpener.OpenFileReader(caFilePath, os.O_RDONLY, 0400) if err != nil { return nil, err } - httpCaller = pkg.NewRequester(lc).WithTLS(caReader, secretStoreConfig.ServerName) + httpCaller = pkg.NewRequester(lc).WithTLS(caReader, b.secretStoreConfig.ServerName) } else { lc.Info("bypassing certificate verification for secret store connection") httpCaller = pkg.NewRequester(lc).Insecure() } clientConfig := types.SecretConfig{ - Type: secretStoreConfig.Type, - Protocol: secretStoreConfig.Protocol, - Host: secretStoreConfig.Host, - Port: secretStoreConfig.Port, + Type: b.secretStoreConfig.Type, + Protocol: b.secretStoreConfig.Protocol, + Host: b.secretStoreConfig.Host, + Port: b.secretStoreConfig.Port, } secretClient, err := secrets.NewSecretStoreClient(clientConfig, lc, httpCaller) if err != nil { @@ -109,8 +118,7 @@ func (b *Bootstrap) getPrivilegedToken(dic *di.Container) (string, error) { } // Reload token in case new token was created causing the auth error - configuration := container.ConfigurationFrom(dic.Get) - token, err := tokenLoader.Load(configuration.GetBootstrap().SecretStore.TokenFile) + token, err := tokenLoader.Load(b.secretStoreConfig.TokenFile) if err != nil { return "", err } @@ -266,7 +274,7 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s lc.Debug("seeding the known secrets if any...") - if err := b.seedKnownSecrets(ctx, lc, configuration.SecretStore, knownSecretNames, serviceKey, privilegedToken); err != nil { + if err := b.seedKnownSecrets(ctx, lc, b.secretStoreConfig, knownSecretNames, serviceKey, privilegedToken); err != nil { lc.Errorf("failed to seed known secrets: %v", err) w.WriteHeader(http.StatusInternalServerError) return @@ -342,7 +350,7 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s // seedKnownSecrets seeds or copies the known secrets from the existing service (e.g. security-bootstrapper-redis) // to the requested new service that also uses the same known secrets func (b *Bootstrap) seedKnownSecrets(ctx context.Context, lc logger.LoggingClient, - ssConfig bootstrapConfig.SecretStoreInfo, + ssConfig *bootstrapConfig.SecretStoreInfo, knownSecretNames []string, serviceKey string, privilegedToken string) error { // to see if we can find redisdb as part of known secret name since that is the known secret we can support now diff --git a/internal/support/notifications/config/config.go b/internal/support/notifications/config/config.go index 6f8b73f98a..d8edd2992b 100644 --- a/internal/support/notifications/config/config.go +++ b/internal/support/notifications/config/config.go @@ -20,14 +20,13 @@ import ( ) type ConfigurationStruct struct { - Writable WritableInfo - Clients map[string]bootstrapConfig.ClientInfo - Databases map[string]bootstrapConfig.Database - Registry bootstrapConfig.RegistryInfo - Service bootstrapConfig.ServiceInfo - MessageBus bootstrapConfig.MessageBusInfo - Smtp SmtpInfo - SecretStore bootstrapConfig.SecretStoreInfo + Writable WritableInfo + Clients map[string]bootstrapConfig.ClientInfo + Databases map[string]bootstrapConfig.Database + Registry bootstrapConfig.RegistryInfo + Service bootstrapConfig.ServiceInfo + MessageBus bootstrapConfig.MessageBusInfo + Smtp SmtpInfo } type WritableInfo struct { @@ -102,11 +101,10 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change return bootstrapConfig.BootstrapConfiguration{ - Clients: c.Clients, - Service: c.Service, - Registry: c.Registry, - SecretStore: c.SecretStore, - MessageBus: c.MessageBus, + Clients: c.Clients, + Service: c.Service, + Registry: c.Registry, + MessageBus: c.MessageBus, } } diff --git a/internal/support/scheduler/config/config.go b/internal/support/scheduler/config/config.go index 85020df810..61822a0543 100644 --- a/internal/support/scheduler/config/config.go +++ b/internal/support/scheduler/config/config.go @@ -30,7 +30,6 @@ type ConfigurationStruct struct { MessageBus bootstrapConfig.MessageBusInfo Intervals map[string]IntervalInfo IntervalActions map[string]IntervalActionInfo - SecretStore bootstrapConfig.SecretStoreInfo // ScheduleIntervalTime is a time(Millisecond) to create a ticker to delay the scheduler loop ScheduleIntervalTime int } @@ -126,11 +125,10 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration { // temporary until we can make backwards-breaking configuration.toml change return bootstrapConfig.BootstrapConfiguration{ - Clients: c.Clients, - Service: c.Service, - Registry: c.Registry, - SecretStore: c.SecretStore, - MessageBus: c.MessageBus, + Clients: c.Clients, + Service: c.Service, + Registry: c.Registry, + MessageBus: c.MessageBus, } }