#189: Add Hashicorp Vault as db credential source, smtp password is a…#190
#189: Add Hashicorp Vault as db credential source, smtp password is a…#190ebrahimmfadae merged 2 commits intodevfrom
Conversation
…lso now supports Vault
| - "127.0.0.1:8200:8200" | ||
| volumes: | ||
| - $DATA/vault:/vault/file:rw | ||
| - $PWD/vault/config:/vault/config:rw |
There was a problem hiding this comment.
Why $PWD is used instead of $DATA?
There was a problem hiding this comment.
As I remember, DATA is used to address runtime output, but here we need to introduce the existing vault configs fto the container.
| @@ -0,0 +1,33 @@ | |||
| version: '3.8' | |||
There was a problem hiding this comment.
Is this file redundant? Because same implementation exists in docker-compose.yml
There was a problem hiding this comment.
Good catch 👍 I will remove this and local compose as well, they are only used for testing :)
| - PANEL_PASS=${PANEL_PASS} | ||
| - BACKEND_USER=${BACKEND_USER} | ||
| - SMTP_PASS=${SMTP_PASS} | ||
| - DB_USER=${DB_USER} |
There was a problem hiding this comment.
Are these default values? Can we change username and password for each app?
There was a problem hiding this comment.
Technically yes as there are separate lines for each app at the vault's start up script, but to ease the setup of compose we used only one env var for all of them.
| vault server -config /vault/config/vault.json & | ||
|
|
||
| ## Export values | ||
| export VAULT_ADDR='http://0.0.0.0:8200' |
There was a problem hiding this comment.
Apparently these export command will override environment configs in docker-compose.yml, which will makes environment variables redundant. If its not the case please explain.
There was a problem hiding this comment.
Yep, right. As the port 8200 is also hard coded in the vault.json, I will remove the env from compose.
| - VAULT_API_ADDR=http://0.0.0.0:8200 | ||
| - VAULT_ADDRESS=http://0.0.0.0:8200 | ||
| - PANEL_PASS=${PANEL_PASS} | ||
| - BACKEND_USER=${BACKEND_USER} |
There was a problem hiding this comment.
What is BACKEND_USER, value?
There was a problem hiding this comment.
in Jenkinsfile.deploy.dev.groovy it is defined to be retrieved from jenkins credentials.
| image: djenriquez/vault-ui | ||
| environment: | ||
| - VAULT_URL_DEFAULT=http://vault:8200 | ||
| - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD |
There was a problem hiding this comment.
Is this the actual credential or it will change after initializing? Considering that the UI port is going to be exposed.
There was a problem hiding this comment.
USERNAMEPASSWORD is not the userpass, it indicates the default authentication method.
* remove payment from enginx config * Add storage module's volume * Fix storage volume address * close #175: Fix matching-engine's trade counter * 174 upgrade versions (#179) * remove payment from enginx config (#170) * #174: All modules except keycloak-gateway upgraded. Co-authored-by: Peyman <46522754+Marchosiax@users.noreply.github.com> * Close #171 and #177: Kafka improvement (#180) * Clean up engine's event models * Clean up accountant * Adding new events for richorder topic * Add OrderStatus model * Separate order and trade processing in API * Set all kafka configs * close #177: Fix websocket issue * Add kafka ui monitoring tool * Fix new topic beans * Change kafka image * Fix kafka config * Fix bean name error * Remove kafka exposed ports * Remove root user grant * Optimize imports * Change java version to 11 (#185) * #189: Add Hashicorp Vault as db credential source, smtp password is a… (#190) * #189: Add Hashicorp Vault as db credential source, smtp password is also now supports Vault * #189: A bit cleaning in the configs to remove useless files/redundant variables * #199: move vault host config from docker to main profile (#192) * Close #181, Remove nginx (#194) * Remove nginx service and config file * Remove redundant network aliases * Refactor jenkins configs and docker compose * Set all app ports to 8080 * Add fallback value to network config * Rename network * Refactor docker-compose configs * Add remove orphans to docker-compose startup script * Refactor jenkins configuration files * Resolve docker-compose config issues * Update jvm target version in kotlin-maven-plugin * Remove anonymous volumes in docker files * Update Jenkins file * Cleanup docker-compose configs * Fix typo in server port * Change chain scan gateway addresses * Update java version in git flows * Rename compose project name in Jenkinsfile * Update DATA value in Jenkins * Update maven compiler version in keycloak * Fix maven version * Add clean up codes after deliver * Fix local port expose * Update Jenkins stages title * Close #195, Fix maven build issues (#196) * Fix matching-engine test package names * Change vault config address * Fix docker-compose command in jenkins * Fix bc-gateway VAULT_HOST * Security issues resolved (#197) * Add auth endpoint extensions * Add admin module * close #172: Brute force * close #182: Token and clients * Add auth admin services * Add keycloak extension * Add profile services * Resolve merge conflicts * Add opex realm configs * Close #172: Brute force protection * Close #182: Token organization * Close #186: Keycloak and security improvements * Remove .env gitignore rule * Revert keycloak's admin and frontend url * Remove client secret variable * Add .env gitignore rule * Update gitignore * Hostfix keycloak * Remove application-docker.yml and application-local.yml profiles * Extract keycloak frontend url configs * Remove mvnw and mvnw.cmd in all modules * Fix postgres version * Add resources folder * Fix vault config * Fix env variables in application.yml * Add migration config to keycloak * Update keycloak url configs * Close #200, Refactor deployment configs (#206) * Remove application-docker.yml and application-local.yml profiles * Extract keycloak frontend url configs * Remove mvnw and mvnw.cmd in all modules * Fix postgres version * Add resources folder * Fix vault config * Fix env variables in application.yml * Add migration config to keycloak * Update keycloak url configs * Fix opex-master-realm.json path in keycloak * Fix cert-url in websocket * Remove ; from end of postgres sql commands * Add bitcoin reserved addresses Co-authored-by: Peyman <marchosiax@gmail.com> Co-authored-by: maryarm <45322329+maryarm@users.noreply.github.com> Co-authored-by: Peyman <46522754+Marchosiax@users.noreply.github.com>
2 participants
…lso now supports Vault