-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(security)!: Implementation of JWT authentication ADR #4244
Conversation
@farshidtz To be unblocked by canonical/edgex-snap-testing#163 |
Thanks, looking into it. But please keep in mind that the snap tests don't block PR merges. |
Thanks for the reminder. Probably ok to hold it then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some minor changes
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
Outdated
Show resolved
Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/proxy_setup_wait_install.sh
Show resolved
Hide resolved
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #4244 +/- ##
==========================================
- Coverage 43.66% 41.78% -1.89%
==========================================
Files 116 106 -10
Lines 10724 9736 -988
==========================================
- Hits 4683 4068 -615
+ Misses 5619 5321 -298
+ Partials 422 347 -75
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
BREAKING CHANGE: Requires JWT authentication for all inbound requests except for /api/v2/ping URL. Removes support for Kong reverse proxy. In place of Kong, uses NGINX proxy auth module and introduces new security-prox-auth service. Changes secrets-config proxy adduser/deluser commands to create Vault users instead of Kong user. Changes secrets-config proxy tls command to write TLS certificate to docker volume instead of Kong. Removes security-proxy-setup go binary and replaces with shell script to create default TLS token. Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
Kudos, SonarCloud Quality Gate passed!
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already merged but I'd like to suggest making the CLI argument naming conventions consistent:
$ edgexfoundry.secrets-config proxy adduser -h
Usage of adduser:
-configDir string
-jwtTTL string
JWT created by vault identity provider lasts this long (default "1h")
-tokenTTL string
Vault token created as a result of vault login lasts this long (default "1h")
-useRootToken
Set to true to TokenFile in config points to a resp-init.json instead of a service token
-user string
Username of the user to add
level=ERROR ts=2023-03-10T11:55:04.114755814Z app=secrets-config source=bootstraphandler.go:70 msg="unable to parse command: -h: flag: help requested"
Ok - all camelCase
$ edgexfoundry.secrets-config proxy deluser -h
Usage of deluser:
-configDir string
-useRootToken
Set to true to TokenFile in config points to a resp-init.json instead of a service token
-user string
Username of the user to delete
level=ERROR ts=2023-03-10T11:55:10.795005034Z app=secrets-config source=bootstraphandler.go:70 msg="Unable to parse command: -h: flag: help requested"
Ok - all camelCase
$ edgexfoundry.secrets-config proxy tls -h
Usage of tls:
-certfilename string
Filename of certificate file (on target) (default "nginx.crt")
-configDir string
-incert string
Path to PEM-encoded leaf certificate
-inkey string
Path to PEM-encoded private key
-keyfilename string
Filename of private key file (on target (default "nginx.key")
-targetfolder string
Path to TLS key file (default "/etc/ssl/nginx")
level=ERROR ts=2023-03-10T11:55:14.547332083Z app=secrets-config source=bootstraphandler.go:70 msg="unable to parse command: -h: flag: help requested"
Not OK.
-certfilename
->-certFilename
-incert
->-inCert
-inkey
->inKey
-keyfilename
->-keyFilename
-targetfolder
->-targetFolder
Also, I don't know why it is printing error on -h
.
@bnevis-i I'll open an issue if necessary.
@farshidtz See #4433 for fixes described in #4244 (review) |
BREAKING CHANGE: Requires JWT authentication for all inbound
requests except for /api/v2/ping URL. Removes support for
Kong reverse proxy. In place of Kong, uses NGINX
proxy auth module and introduces new security-prox-auth service.
Changes secrets-config proxy adduser/deluser commands to create
Vault users instead of Kong user. Changes secrets-config proxy tls
command to write TLS certificate to docker volume instead of Kong.
Removes security-proxy-setup go binary and replaces with shell
script to create default TLS token.
Signed-off-by: Bryon Nevis bryon.nevis@intel.com
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:
describing the break)Testing Instructions
New Dependency Instructions (If applicable)