feat(security): secure containers run as non-root

cmd/core-command/Dockerfile

@@ -49,5 +49,6 @@ WORKDIR /
 COPY --from=builder /edgex-go/cmd/core-command/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/core-command/core-command /
 COPY --from=builder /edgex-go/cmd/core-command/res/configuration.toml /res/configuration.toml
+
 ENTRYPOINT ["/core-command"]
 CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]

cmd/core-metadata/Dockerfile

@@ -49,5 +49,6 @@ WORKDIR /
 COPY --from=builder /edgex-go/cmd/core-metadata/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/core-metadata/core-metadata /
 COPY --from=builder /edgex-go/cmd/core-metadata/res/configuration.toml /res/configuration.toml
+
 ENTRYPOINT ["/core-metadata"]
 CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]

cmd/security-secretstore-setup/Dockerfile

@@ -50,9 +50,11 @@ COPY --from=builder /edgex-go/cmd/security-secretstore-setup/res/configuration.t
 COPY --from=builder /edgex-go/cmd/security-file-token-provider/security-file-token-provider .
 COPY --from=builder /edgex-go/cmd/security-secretstore-setup/security-secretstore-setup .
 
-# setup the entry point script
+# Setup the entry point script, create token dir, and assign perms
 COPY --from=builder /edgex-go/cmd/security-secretstore-setup/entrypoint.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/entrypoint.sh \
-    && ln -s /usr/local/bin/entrypoint.sh /
+    && ln -s /usr/local/bin/entrypoint.sh / \
+    && mkdir -p /vault/config/assets \
+    && chown -Rh 100:1000 /vault/    
 
 ENTRYPOINT ["entrypoint.sh"]

cmd/security-secretstore-setup/entrypoint.sh

@@ -24,27 +24,21 @@ if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ] && [ -f "${SECRETSTORE_SETUP_DONE_FLA
   rm -f "${SECRETSTORE_SETUP_DONE_FLAG}"
 fi
 
-echo "creating /vault/config/assets"
+echo "Starting vault-worker..."
 
-# create token directory and
-# grant permissions of folders for vault:vault
-mkdir -p /vault/config/assets
-chown -Rh 100:1000 /vault/
-
-echo "starting vault-worker..."
-
-echo "Initializing secret store"
+echo "Initializing secret store..."
 /security-secretstore-setup --vaultInterval=10
 
-echo "Executing custom command: $@"
-"$@"
-
 # write a sentinel file when we're done because consul is not
 # secure and we don't trust it it access to the EdgeX secret store
 if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ]; then
+
+    echo "Changing ownership of secrets to edgex_user:edgex_group"
+    chown -R ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets
+
     echo "Signaling secretstore-setup completion"
-    mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}")
-    touch "${SECRETSTORE_SETUP_DONE_FLAG}"
+    mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}") && \
+      touch "${SECRETSTORE_SETUP_DONE_FLAG}"
 fi
 
 echo "Waiting for termination signal"

cmd/support-notifications/Dockerfile

@@ -49,5 +49,6 @@ COPY --from=builder /etc/ssl /etc/ssl
 COPY --from=builder /edgex-go/cmd/support-notifications/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/support-notifications/support-notifications /
 COPY --from=builder /edgex-go/cmd/support-notifications/res/configuration.toml /res/configuration.toml
+
 ENTRYPOINT ["/support-notifications"]
 CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]

cmd/support-scheduler/Dockerfile

@@ -47,5 +47,6 @@ EXPOSE $APP_PORT
 COPY --from=builder /edgex-go/cmd/support-scheduler/Attribution.txt /
 COPY --from=builder /edgex-go/cmd/support-scheduler/support-scheduler /
 COPY --from=builder /edgex-go/cmd/support-scheduler/res/configuration.toml /res/configuration.toml
+
 ENTRYPOINT ["/support-scheduler"]
 CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]