feat(security)!: Implementation of JWT authentication ADR #4244
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bnevis-i
changed the title
5 tasks
|
@farshidtz To be unblocked by canonical/edgex-snap-testing#163 |
Thanks, looking into it. But please keep in mind that the snap tests don't block PR merges. |
Thanks for the reminder. Probably ok to hold it then. |
jim-wang-intel
requested changes
Mar 1, 2023
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/proxy_setup_wait_install.sh
Show resolved
Hide resolved
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #4244 +/- ##
==========================================
- Coverage 43.66% 41.78% -1.89%
==========================================
Files 116 106 -10
Lines 10724 9736 -988
==========================================
- Hits 4683 4068 -615
+ Misses 5619 5321 -298
+ Partials 422 347 -75
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
BREAKING CHANGE: Requires JWT authentication for all inbound requests except for /api/v2/ping URL. Removes support for Kong reverse proxy. In place of Kong, uses NGINX proxy auth module and introduces new security-prox-auth service. Changes secrets-config proxy adduser/deluser commands to create Vault users instead of Kong user. Changes secrets-config proxy tls command to write TLS certificate to docker volume instead of Kong. Removes security-proxy-setup go binary and replaces with shell script to create default TLS token. Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
|
Kudos, SonarCloud Quality Gate passed!
|
This was referenced Mar 10, 2023
farshidtz
reviewed
Mar 10, 2023
There was a problem hiding this comment.
Already merged but I'd like to suggest making the CLI argument naming conventions consistent:
$ edgexfoundry.secrets-config proxy adduser -h
Usage of adduser:
-configDir string
-jwtTTL string
JWT created by vault identity provider lasts this long (default "1h")
-tokenTTL string
Vault token created as a result of vault login lasts this long (default "1h")
-useRootToken
Set to true to TokenFile in config points to a resp-init.json instead of a service token
-user string
Username of the user to add
level=ERROR ts=2023-03-10T11:55:04.114755814Z app=secrets-config source=bootstraphandler.go:70 msg="unable to parse command: -h: flag: help requested"
Ok - all camelCase
$ edgexfoundry.secrets-config proxy deluser -h
Usage of deluser:
-configDir string
-useRootToken
Set to true to TokenFile in config points to a resp-init.json instead of a service token
-user string
Username of the user to delete
level=ERROR ts=2023-03-10T11:55:10.795005034Z app=secrets-config source=bootstraphandler.go:70 msg="Unable to parse command: -h: flag: help requested"
Ok - all camelCase
$ edgexfoundry.secrets-config proxy tls -h
Usage of tls:
-certfilename string
Filename of certificate file (on target) (default "nginx.crt")
-configDir string
-incert string
Path to PEM-encoded leaf certificate
-inkey string
Path to PEM-encoded private key
-keyfilename string
Filename of private key file (on target (default "nginx.key")
-targetfolder string
Path to TLS key file (default "/etc/ssl/nginx")
level=ERROR ts=2023-03-10T11:55:14.547332083Z app=secrets-config source=bootstraphandler.go:70 msg="unable to parse command: -h: flag: help requested"
Not OK.
-certfilename->-certFilename-incert->-inCert-inkey->inKey-keyfilename->-keyFilename-targetfolder->-targetFolder
Also, I don't know why it is printing error on -h.
@bnevis-i I'll open an issue if necessary.
|
@farshidtz See #4433 for fixes described in #4244 (review) |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BREAKING CHANGE: Requires JWT authentication for all inbound
requests except for /api/v2/ping URL. Removes support for
Kong reverse proxy. In place of Kong, uses NGINX
proxy auth module and introduces new security-prox-auth service.
Changes secrets-config proxy adduser/deluser commands to create
Vault users instead of Kong user. Changes secrets-config proxy tls
command to write TLS certificate to docker volume instead of Kong.
Removes security-proxy-setup go binary and replaces with shell
script to create default TLS token.
Signed-off-by: Bryon Nevis bryon.nevis@intel.com
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:describing the break)Testing Instructions
New Dependency Instructions (If applicable)