Skip to content

Commit

Permalink
build(snap): Add implementation for set up Consul ACL
Browse files Browse the repository at this point in the history
- Add token for consul secret engine in snap
- Add env. for ACL enable: ENABLE_REGISTRY_ACL: true
- Add env. for consul secret engine admin token: SECRETSTORE_CONSULSECRETSADMINTOKENPATH
- Add logic for copying the needed configuration toml from security-bootstrapper
- Add consul-bootstrapper one-shot service for setting up Consul's ACL
- Add feature flag logic in start_consul.sh shell script
- Add env. overrides for consul-bootstrapper
- Make consul-bootstrapper use shell script as command to run setupRegistryACL

Closes: edgexfoundry#3222

Signed-off-by: Jim Wang <[email protected]>
  • Loading branch information
jim-wang-intel committed Mar 8, 2021
1 parent 7248181 commit 0cea5ec
Show file tree
Hide file tree
Showing 4 changed files with 84 additions and 12 deletions.
10 changes: 6 additions & 4 deletions snap/hooks/install
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,16 @@ for service in security-file-token-provider security-proxy-setup security-secret
if [ ! -f "$SNAP_DATA/config/$service/res/configuration.toml" ]; then
mkdir -p "$SNAP_DATA/config/$service/res"

# for security-bootstrapper, we only need the configureRedis subcommand portion and associated
# for security-bootstrapper, we have two different configuration toml, one for bootstrap-redis and one for security-bootstrapper itself
# the bootstrap-redis run the configureRedis subcommand portion and associated
# configuration.toml file
# the bootstrap-consul or consul-bootstrapper runs the setupRegistryACL subcommand portion and associated configuration.toml file
if [ "$service" == "security-bootstrapper" ]; then
mkdir -p "$SNAP_DATA/config/$service/res-bootstrap-redis"
cp "$SNAP/config/$service/res-bootstrap-redis/configuration.toml" \
"$SNAP_DATA/config/$service/res/configuration.toml"
else
cp "$SNAP/config/$service/res/configuration.toml" "$SNAP_DATA/config/$service/res/configuration.toml"
"$SNAP_DATA/config/$service/res-bootstrap-redis/configuration.toml"
fi
cp "$SNAP/config/$service/res/configuration.toml" "$SNAP_DATA/config/$service/res/configuration.toml"

# replace $SNAP, $SNAP_DATA, $SNAP_COMMON env vars for file-token-provider,
# as it doesn't support env var overrides
Expand Down
17 changes: 17 additions & 0 deletions snap/local/runtime-helpers/bin/setup-consul-acl.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash
# note: -e flag is not used in this one-shot service
# we don't want to exit out the whole Consul process when ACL bootstrapping failed, just that
# Consul won't have ACL to be used

echo "$(date) in setup-consul-acl.sh: ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"

if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
# setup Consul's ACL via security-bootstrapper's subcommand
"$SNAP"/bin/security-bootstrapper -confdir "$SNAP_DATA"/config/security-bootstrapper/res setupRegistryACL
setupACL_code=$?
if [ "${setupACL_code}" -ne 0 ]; then
echo "$(date) failed to set up Consul ACL"
fi
else
echo "$(date) ACL not enabled, skip Consul's ACL setup"
fi
31 changes: 31 additions & 0 deletions snap/local/runtime-helpers/bin/start-consul.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,36 @@
#!/bin/bash -e

echo "$(date) deploying the default EdgeX configuration for Consul"
# the default Consul local configuration is applied to all cases no matter ACL is enabled or not
# note that Consul's DNS port is disabled based on the securing Consul ADR
# https://github.com/edgexfoundry/edgex-docs/blob/master/docs_src/design/adr/security/0017-consul-security.md#phase-1
cat > "$SNAP_DATA/consul/config/consul_default.json" <<EOF
{
"enable_local_script_checks": true,
"disable_update_check": true,
"ports": {
"dns": -1
}
}
EOF

echo "$(date) ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"

# if feature flag ENABLE_REGISTRY_ACL is true, then we need to add additional configuration settings to Consul's ACL system
# according to the securing Consul ADR, we set the "default_policy" to "allow" in Phase 1
if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
echo "$(date) deploying additional ACL configuration for Consul"
cat > "$SNAP_DATA/consul/config/consul_acl.json" <<EOF
{
"acl": {
"enabled": true,
"default_policy": "allow",
"enable_token_persistence": true
}
}
EOF
fi

# start consul in the background
"$SNAP/bin/consul" agent \
-data-dir="$SNAP_DATA/consul/data" \
Expand Down
38 changes: 30 additions & 8 deletions snap/snapcraft.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ apps:
consul:
adapter: full
command: bin/start-consul.sh
environment:
ENABLE_REGISTRY_ACL: "true"
daemon: forking
plugs: [network, network-bind]
redis:
Expand Down Expand Up @@ -159,6 +161,9 @@ apps:
SECRETSTORE_TOKENPROVIDER: $SNAP/bin/security-file-token-provider
SECRETSTORE_TOKENPROVIDERARGS: "-confdir, $SNAP_DATA/config/security-file-token-provider/res"
SECRETSTORE_TOKENPROVIDERADMINTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json
# registry consul ACL related environment variables:
ENABLE_REGISTRY_ACL: "true"
SECRETSTORE_CONSULSECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json

# environment for security-file-token-provider, exec'd by secretstore-setup
TOKENFILEPROVIDER_PRIVILEGEDTOKENPATH: $SNAP_DATA/secrets/tokenprovider/secrets-token.json
Expand All @@ -179,16 +184,16 @@ apps:
daemon: oneshot
start-timeout: 15m
plugs: [network]
# This is a simple service which calls into vault to retrieve the Redis password and then
# to generate Redis config file for Redis server to start up with credentials and ACL rules.
# Redis can be started once the confFile is created. Once the config file has been generated,
# this service exits. In the Docker version, the customized redis' entrypoint.sh performs
# This is a simple service which calls into vault to retrieve the Redis password and then
# to generate Redis config file for Redis server to start up with credentials and ACL rules.
# Redis can be started once the confFile is created. Once the config file has been generated,
# this service exits. In the Docker version, the customized redis' entrypoint.sh performs
# the similar actions as described above.
security-bootstrap-redis:
adapter: none
after:
- security-secretstore-setup
command: bin/security-bootstrapper -confdir $SNAP_DATA/config/security-bootstrapper/res configureRedis
command: bin/security-bootstrapper -confdir $SNAP_DATA/config/security-bootstrapper/res-bootstrap-redis configureRedis
environment:
# TODO: determine the correct cmd-line args & env var overrides...
SECRETSTORE_SERVERNAME: localhost
Expand All @@ -197,6 +202,20 @@ apps:
DATABASECONFIG_NAME: redis.conf
daemon: oneshot
plugs: [network]
# This is a one-shot service which sets up consul's ACL and prepare for creating consul's agent tokens later on
security-consul-bootstrapper:
adapter: none
after:
- security-secretstore-setup
command: bin/setup-consul-acl.sh
environment:
ENABLE_REGISTRY_ACL: "true"
STAGEGATE_REGISTRY_HOST: localhost
STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: $SNAP_DATA/secrets/consul-acl-token/bootstrap_token.json
STAGEGATE_REGISTRY_ACL_SECRETSADMINTOKENPATH: $SNAP_DATA/secrets/edgex-consul/admin/token.json
STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: $SNAP_DATA/consul/config/consul_acl_done
daemon: oneshot
plugs: [network]
core-data:
adapter: full
after:
Expand Down Expand Up @@ -305,7 +324,7 @@ apps:
adapter: none
command: bin/security-proxy-setup
environment:
SECRETSTORE_TOKENPATH: $SNAP_DATA/secrets/edgex-security-proxy-setup/secrets-token.json
SECRETSTORE_TOKENFILE: $SNAP_DATA/secrets/edgex-security-proxy-setup/secrets-token.json
plugs: [home, removable-media, network]
secrets-config:
adapter: none
Expand Down Expand Up @@ -606,11 +625,14 @@ parts:
"$SNAPCRAFT_PART_INSTALL/config/security-file-token-provider/res/configuration.toml"
;;
# For security bootstrapping Redis, we only need the configuration file used for "configureRedis"
# as part of the whole "security-bootstrapper". The other parts of security-bootstrapper is only
# for Docker version running in docker-compose file cases.
# as part of the whole "security-bootstrapper".
# For security bootstrapping Consul (aka consul-bootstrapper), we then need the security-bootstrapper's
# toml file and thus here we install both files.
"security-bootstrapper")
install -DT "./cmd/security-bootstrapper/res-bootstrap-redis/configuration.toml" \
"$SNAPCRAFT_PART_INSTALL/config/security-bootstrapper/res-bootstrap-redis/configuration.toml"
install -DT "./cmd/security-bootstrapper/res/configuration.toml" \
"$SNAPCRAFT_PART_INSTALL/config/security-bootstrapper/res/configuration.toml"
;;
# The security-secrets-config doesn't have a default configuration.toml, but since it shares
# the same config as proxy-setup, just use that one.
Expand Down

0 comments on commit 0cea5ec

Please sign in to comment.