From 81548f03d031b7e7af92860e7a616548471cc0de Mon Sep 17 00:00:00 2001 From: maryarm Date: Sat, 5 Feb 2022 03:56:53 +0100 Subject: [PATCH 1/2] #189: Add Hashicorp Vault as db credential source, smtp password is also now supports Vault --- Deployment/docker-compose-vault.yml | 33 +++++++ Deployment/docker-compose.dev.yml | 10 +++ Deployment/docker-compose.override.yml | 10 +++ Deployment/docker-compose.yml | 46 ++++++++++ Deployment/vault/config/backend-policy.hcl | 26 ++++++ Deployment/vault/config/panel-policy.hcl | 27 ++++++ Deployment/vault/config/vault.json | 16 ++++ Deployment/vault/config/workflow-vault.sh | 87 +++++++++++++++++++ Jenkins/Jenkinsfile.deploy.dev.groovy | 5 ++ Jenkins/Jenkinsfile.deploy.groovy | 5 ++ accountant/accountant-app/pom.xml | 4 + .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 5 ++ .../src/main/resources/application.yml | 15 ++++ .../accountant-wallet-proxy/pom.xml | 12 --- accountant/pom.xml | 7 ++ api/api-app/pom.xml | 4 + .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 5 ++ .../src/main/resources/application.yml | 16 +++- api/api-ports/api-binance-rest/pom.xml | 12 +-- api/pom.xml | 7 ++ bc-gateway/bc-gateway-app/pom.xml | 4 + .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 8 ++ .../src/main/resources/application.yml | 15 ++++ eventlog/eventlog-app/pom.xml | 16 ++++ .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 9 +- .../src/main/resources/application-local.yml | 9 ++ .../src/main/resources/application.yml | 20 ++++- user-management/keycloak-gateway/pom.xml | 14 +++ .../extension/HashicorpVaultProvider.java | 52 +++++++++++ .../HashicorpVaultProviderFactory.java | 76 ++++++++++++++++ .../auth/gateway/extension/VaultService.java | 60 +++++++++++++ .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../resources/META-INF/keycloak-server.json | 12 ++- .../org.keycloak.vault.VaultProviderFactory | 1 + .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 12 +++ .../src/main/resources/application.yml | 17 ++++ .../src/main/resources/opex-master-realm.json | 2 +- .../src/main/resources/opex-realm.json | 2 +- user-management/pom.xml | 4 +- wallet/wallet-app/pom.xml | 4 + .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 12 +++ .../src/main/resources/application.yml | 15 ++++ websocket/websocket-app/pom.xml | 4 + .../opex/util/vault/VaultUserIdMechanism.kt | 9 ++ .../src/main/resources/application-docker.yml | 6 +- .../src/main/resources/application-local.yml | 5 ++ .../src/main/resources/application.yml | 15 ++++ 57 files changed, 792 insertions(+), 47 deletions(-) create mode 100644 Deployment/docker-compose-vault.yml create mode 100644 Deployment/vault/config/backend-policy.hcl create mode 100644 Deployment/vault/config/panel-policy.hcl create mode 100644 Deployment/vault/config/vault.json create mode 100755 Deployment/vault/config/workflow-vault.sh create mode 100644 accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 accountant/accountant-app/src/main/resources/application-local.yml create mode 100644 api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 api/api-app/src/main/resources/application-local.yml create mode 100644 bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 bc-gateway/bc-gateway-app/src/main/resources/application-local.yml create mode 100644 eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 eventlog/eventlog-app/src/main/resources/application-local.yml create mode 100644 user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java create mode 100644 user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java create mode 100644 user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java create mode 100644 user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory create mode 100644 user-management/keycloak-gateway/src/main/resources/application-local.yml create mode 100644 wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 wallet/wallet-app/src/main/resources/application-local.yml create mode 100644 websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt create mode 100644 websocket/websocket-app/src/main/resources/application-local.yml diff --git a/Deployment/docker-compose-vault.yml b/Deployment/docker-compose-vault.yml new file mode 100644 index 000000000..eba60f09d --- /dev/null +++ b/Deployment/docker-compose-vault.yml @@ -0,0 +1,33 @@ +version: '3.8' +services: + vault: + image: vault + ports: + - "127.0.0.1:8200:8200" + volumes: + - $DATA/vault:/vault/file:rw + - $PWD/vault/config:/vault/config:rw + environment: + - VAULT_ADDR=http://0.0.0.0:8200 + - VAULT_API_ADDR=http://0.0.0.0:8200 + - VAULT_ADDRESS=http://0.0.0.0:8200 + - PANEL_PASS=${PANEL_PASS} + - BACKEND_USER=${BACKEND_USER} + - SMTP_PASS=${SMTP_PASS} + - DB_USER=${DB_USER} + - DB_PASS=${DB_PASS} + healthcheck: + retries: 5 + cap_add: + - IPC_LOCK + entrypoint: /vault/config/workflow-vault.sh + vault-ui: + image: djenriquez/vault-ui + ports: + - "127.0.0.1:8000:8000" + environment: + - VAULT_URL_DEFAULT=http://vault:8200 + - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD +networks: + opex: + driver: bridge diff --git a/Deployment/docker-compose.dev.yml b/Deployment/docker-compose.dev.yml index fc6a924ae..2e169549b 100644 --- a/Deployment/docker-compose.dev.yml +++ b/Deployment/docker-compose.dev.yml @@ -22,6 +22,16 @@ services: environment: - KAFKA_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092 - KAFKA_ADVERTISED_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092 + vault: + ports: + - "127.0.0.1:8201:8200" + networks: + - opex-dev + vault-ui: + ports: + - "127.0.0.1:8001:8000" + networks: + - opex-dev consul: ports: - '127.0.0.1:8501:8500' diff --git a/Deployment/docker-compose.override.yml b/Deployment/docker-compose.override.yml index 5146737ee..9cb75b17a 100644 --- a/Deployment/docker-compose.override.yml +++ b/Deployment/docker-compose.override.yml @@ -13,6 +13,16 @@ services: kafka-3: networks: - opex + vault: + ports: + - "127.0.0.1:8200:8200" + networks: + - opex + vault-ui: + ports: + - "127.0.0.1:8000:8000" + networks: + - opex consul: ports: - '127.0.0.1:8500:8500' diff --git a/Deployment/docker-compose.yml b/Deployment/docker-compose.yml index acd9ae0c8..6c5ca9479 100644 --- a/Deployment/docker-compose.yml +++ b/Deployment/docker-compose.yml @@ -69,6 +69,30 @@ services: deploy: restart_policy: condition: on-failure + vault: + image: vault + volumes: + - $DATA/vault:/vault/file:rw + - $PWD/vault/config:/vault/config:rw + environment: + - VAULT_ADDR=http://0.0.0.0:8200 + - VAULT_API_ADDR=http://0.0.0.0:8200 + - VAULT_ADDRESS=http://0.0.0.0:8200 + - PANEL_PASS=${PANEL_PASS} + - BACKEND_USER=${BACKEND_USER} + - SMTP_PASS=${SMTP_PASS} + - DB_USER=${DB_USER} + - DB_PASS=${DB_PASS} + healthcheck: + retries: 5 + cap_add: + - IPC_LOCK + entrypoint: /vault/config/workflow-vault.sh + vault-ui: + image: djenriquez/vault-ui + environment: + - VAULT_URL_DEFAULT=http://vault:8200 + - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD consul: image: 'consul' environment: @@ -172,11 +196,14 @@ services: - REDIS_HOST=redis - CONSUL_HOST=consul - DB_IP_PORT=postgres-accountant + - BACKEND_USER=${BACKEND_USER} + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 - redis - consul + - vault - postgres-accountant eventlog: build: @@ -189,6 +216,8 @@ services: - REDIS_HOST=redis - CONSUL_HOST=consul - DB_IP_PORT=postgres-eventlog + - BACKEND_USER=${BACKEND_USER} + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 @@ -196,6 +225,7 @@ services: - kafka-3 - redis - consul + - vault - postgres-eventlog matching-engine: build: @@ -241,6 +271,9 @@ services: - DB_IP_PORT=postgres-auth - PROXY_ADDRESS_FORWARDING=true - WORKING_DIR=$DATA + - BACKEND_USER=${BACKEND_USER} + - VAULT_URL=http://vault:8200 + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 @@ -248,6 +281,7 @@ services: - kafka-3 - redis - consul + - vault - postgres-auth deploy: restart_policy: @@ -263,6 +297,8 @@ services: - REDIS_HOST=redis - CONSUL_HOST=consul - DB_IP_PORT=postgres-wallet + - BACKEND_USER=${BACKEND_USER} + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 @@ -270,6 +306,7 @@ services: - kafka-3 - redis - consul + - vault - postgres-wallet deploy: restart_policy: @@ -285,6 +322,8 @@ services: - REDIS_HOST=redis - CONSUL_HOST=consul - DB_IP_PORT=postgres-api + - BACKEND_USER=${BACKEND_USER} + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 @@ -292,6 +331,7 @@ services: - kafka-3 - redis - consul + - vault - postgres-api deploy: restart_policy: @@ -306,12 +346,15 @@ services: - KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092 - CONSUL_HOST=consul - DB_IP_PORT=postgres-api + - BACKEND_USER=${BACKEND_USER} + - VAULT_HOST=vault depends_on: - zookeeper - kafka-1 - kafka-2 - kafka-3 - consul + - vault - postgres-api deploy: restart_policy: @@ -327,11 +370,14 @@ services: - REDIS_HOST=redis - CONSUL_HOST=consul - DB_IP_PORT=postgres-bc-gateway + - BACKEND_USER=${BACKEND_USER} + - VAULT_URL=http://vault:8200 depends_on: - zookeeper - kafka-1 - redis - consul + - vault - postgres-bc-gateway deploy: restart_policy: diff --git a/Deployment/vault/config/backend-policy.hcl b/Deployment/vault/config/backend-policy.hcl new file mode 100644 index 000000000..5c0140529 --- /dev/null +++ b/Deployment/vault/config/backend-policy.hcl @@ -0,0 +1,26 @@ +path "kv/*" { + capabilities = ["read"] +} + +path "secret/*" { + capabilities = ["read"] +} + +path "secret/opex/" { + capabilities = ["read"] +} + +path "secret/opex-wallet/" { + capabilities = ["read"] +} + +path "sys/mounts" { + capabilities = ["read"] +} + +path "sys/auth" { + capabilities = ["read"] +} + + + diff --git a/Deployment/vault/config/panel-policy.hcl b/Deployment/vault/config/panel-policy.hcl new file mode 100644 index 000000000..c37b73eef --- /dev/null +++ b/Deployment/vault/config/panel-policy.hcl @@ -0,0 +1,27 @@ +path "kv/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "secret/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "secret/opex/" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "secret/opex-wallet/" { + capabilities = ["create", "read", "update", "delete", "list"] +} + + +path "sys/mounts" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "sys/auth" { + capabilities = ["create", "read", "update", "delete", "list"] +} + + + diff --git a/Deployment/vault/config/vault.json b/Deployment/vault/config/vault.json new file mode 100644 index 000000000..105035688 --- /dev/null +++ b/Deployment/vault/config/vault.json @@ -0,0 +1,16 @@ +{ + "listener": { + "tcp": { + "address": "0.0.0.0:8200", + "tls_disable": "true" + } + }, + "backend": { + "file": { + "path": "/vault/file" + } + }, + "default_lease_ttl": "168h", + "max_lease_ttl": "0h", + "api_addr": "http://0.0.0.0:8200" +} \ No newline at end of file diff --git a/Deployment/vault/config/workflow-vault.sh b/Deployment/vault/config/workflow-vault.sh new file mode 100755 index 000000000..b877919dd --- /dev/null +++ b/Deployment/vault/config/workflow-vault.sh @@ -0,0 +1,87 @@ +#!/bin/sh +vault server -config /vault/config/vault.json & + +## Export values +export VAULT_ADDR='http://0.0.0.0:8200' +export VAULT_SKIP_VERIFY='true' + +# +sleep 10 + +if [ ! -f /vault/file/generated_keys.txt ]; then + echo "Vault init" + vault operator init > /vault/file/generated_keys.txt +fi +echo "Generated Keys:" +cat /vault/file/generated_keys.txt +## Parse unsealed keys +(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt + +echo "Keys:" +cat /vault/file/keys.txt + +while IFS= read -r line; do + echo "Key read from file: $line" + vault operator unseal $line +done < /vault/file/keys.txt +# +## Get root token +(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt +while IFS= read -r line; do + echo "Root token read from file: $line" + export VAULT_TOKEN=${line} +done < /vault/file/tokens.txt +## Enable kv +echo 'enable kv' +vault secrets enable -path=secret -version=1 kv +## Enable userpass and add default user +echo 'enable userpass and add default user' +vault auth enable userpass +echo 'enable panel policies' +vault policy write panel-policy /vault/config/panel-policy.hcl +echo 'set password ' +echo ${PANEL_PASS} +vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy +echo 'check login user/pass' +vault login -method=userpass username=admin password=${PANEL_PASS} + +echo 'enable appid and add default user-id' +vault auth enable app-id +echo 'enable backend policies' +vault policy write backend-policy /vault/config/backend-policy.hcl +echo 'enable backend apps' +vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant +vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api +vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway +vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog +vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth +vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet +vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket +echo 'enable user-id' +vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway +echo 'check login appid' +vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-api user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER} +vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER} + +# +## Add secret values +echo 'put key/value' +vault kv put secret/opex smtppass=${SMTP_PASS} +vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} +vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} + + +# Keep alive +while pidof vault >/dev/null; do + sleep 10 +done diff --git a/Jenkins/Jenkinsfile.deploy.dev.groovy b/Jenkins/Jenkinsfile.deploy.dev.groovy index 4c78c89b0..9bf2e971e 100644 --- a/Jenkins/Jenkinsfile.deploy.dev.groovy +++ b/Jenkins/Jenkinsfile.deploy.dev.groovy @@ -15,6 +15,11 @@ pipeline { stage('Deliver') { environment { DATA = '/var/opex/runtime-dev' + PANEL_PASS = credentials("v-panel-secret-dev") + BACKEND_USER = credentials("v-backend-secret-dev") + SMTP_PASS= credentials("smtp-secret-dev") + DB_USER='opex' + DB_PASS=credentials("db-secret-dev") } steps { dir("Deployment") { diff --git a/Jenkins/Jenkinsfile.deploy.groovy b/Jenkins/Jenkinsfile.deploy.groovy index f4ce7d7fb..4bd2c3d57 100644 --- a/Jenkins/Jenkinsfile.deploy.groovy +++ b/Jenkins/Jenkinsfile.deploy.groovy @@ -15,6 +15,11 @@ pipeline { stage('Deliver') { environment { DATA = '/var/opex/runtime' + PANEL_PASS = credentials("v-panel-secret") + BACKEND_USER = credentials("v-backend-secret") + SMTP_PASS= credentials("smtp-secret") + DB_USER='opex' + DB_PASS=credentials("db-secret") } steps { dir("Deployment") { diff --git a/accountant/accountant-app/pom.xml b/accountant/accountant-app/pom.xml index aeb891bef..7f6034024 100644 --- a/accountant/accountant-app/pom.xml +++ b/accountant/accountant-app/pom.xml @@ -55,6 +55,10 @@ co.nilin.opex.utility.log logging-handler + + org.springframework.cloud + spring-cloud-starter-vault-config + diff --git a/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/accountant/accountant-app/src/main/resources/application-docker.yml b/accountant/accountant-app/src/main/resources/application-docker.yml index 09d0ed7da..c2befb6e8 100644 --- a/accountant/accountant-app/src/main/resources/application-docker.yml +++ b/accountant/accountant-app/src/main/resources/application-docker.yml @@ -5,9 +5,11 @@ spring: host: ${REDIS_HOST} r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_accountant - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} main: diff --git a/accountant/accountant-app/src/main/resources/application-local.yml b/accountant/accountant-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..a8a44da5c --- /dev/null +++ b/accountant/accountant-app/src/main/resources/application-local.yml @@ -0,0 +1,5 @@ +spring: + r2dbc: + url: r2dbc:postgresql://localhost:5433/opex_accountant + username: ${dbusername} + password: ${dbpassword} \ No newline at end of file diff --git a/accountant/accountant-app/src/main/resources/application.yml b/accountant/accountant-app/src/main/resources/application.yml index 0f55f14e7..8ff1a51dd 100644 --- a/accountant/accountant-app/src/main/resources/application.yml +++ b/accountant/accountant-app/src/main/resources/application.yml @@ -24,6 +24,19 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: @@ -31,6 +44,8 @@ spring: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true + config: + import: vault://secret/${spring.application.name} app: coin: nln address: 1 diff --git a/accountant/accountant-ports/accountant-wallet-proxy/pom.xml b/accountant/accountant-ports/accountant-wallet-proxy/pom.xml index a426e9a29..b6018c730 100644 --- a/accountant/accountant-ports/accountant-wallet-proxy/pom.xml +++ b/accountant/accountant-ports/accountant-wallet-proxy/pom.xml @@ -84,16 +84,4 @@ https://repo.spring.io/milestone - - - - - org.springframework.cloud - spring-cloud-dependencies - ${spring-cloud.version} - pom - import - - - diff --git a/accountant/pom.xml b/accountant/pom.xml index 7714383c5..c60d9c6c1 100644 --- a/accountant/pom.xml +++ b/accountant/pom.xml @@ -73,6 +73,13 @@ logging-handler ${project.version} + + org.springframework.cloud + spring-cloud-dependencies + ${spring-cloud.version} + pom + import + diff --git a/api/api-app/pom.xml b/api/api-app/pom.xml index e60b9784b..00529ca01 100644 --- a/api/api-app/pom.xml +++ b/api/api-app/pom.xml @@ -64,6 +64,10 @@ springfox-boot-starter 3.0.0 + + org.springframework.cloud + spring-cloud-starter-vault-config + diff --git a/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/api/api-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/api/api-app/src/main/resources/application-docker.yml b/api/api-app/src/main/resources/application-docker.yml index f44d7c4f5..fa49707cd 100644 --- a/api/api-app/src/main/resources/application-docker.yml +++ b/api/api-app/src/main/resources/application-docker.yml @@ -5,9 +5,11 @@ spring: host: ${REDIS_HOST} r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_api - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} port: 8500 diff --git a/api/api-app/src/main/resources/application-local.yml b/api/api-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..902453ec5 --- /dev/null +++ b/api/api-app/src/main/resources/application-local.yml @@ -0,0 +1,5 @@ +spring: + r2dbc: + url: r2dbc:postgresql://localhost:5437/opex_api + username: ${dbusername} + password: ${dbpassword} \ No newline at end of file diff --git a/api/api-app/src/main/resources/application.yml b/api/api-app/src/main/resources/application.yml index 18b0ec091..aa3103dae 100644 --- a/api/api-app/src/main/resources/application.yml +++ b/api/api-app/src/main/resources/application.yml @@ -24,6 +24,19 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: @@ -31,7 +44,8 @@ spring: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true - + config: + import: vault://secret/${spring.application.name} app: accountant: url: lb://opex-accountant diff --git a/api/api-ports/api-binance-rest/pom.xml b/api/api-ports/api-binance-rest/pom.xml index 413465dd8..ccd19b414 100644 --- a/api/api-ports/api-binance-rest/pom.xml +++ b/api/api-ports/api-binance-rest/pom.xml @@ -111,15 +111,5 @@ - - - - org.springframework.cloud - spring-cloud-dependencies - ${spring-cloud.version} - pom - import - - - + diff --git a/api/pom.xml b/api/pom.xml index d5b6f4589..baf80f4cb 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -77,6 +77,13 @@ interceptors ${project.version} + + org.springframework.cloud + spring-cloud-dependencies + ${spring-cloud.version} + pom + import + diff --git a/bc-gateway/bc-gateway-app/pom.xml b/bc-gateway/bc-gateway-app/pom.xml index 5f92a0274..33b85f648 100644 --- a/bc-gateway/bc-gateway-app/pom.xml +++ b/bc-gateway/bc-gateway-app/pom.xml @@ -87,6 +87,10 @@ springfox-boot-starter 3.0.0 + + org.springframework.cloud + spring-cloud-starter-vault-config + diff --git a/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..f39bf4a89 --- /dev/null +++ b/bc-gateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER"); + } +} \ No newline at end of file diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml b/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml index 518840557..81b423781 100644 --- a/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml +++ b/bc-gateway/bc-gateway-app/src/main/resources/application-docker.yml @@ -9,10 +9,12 @@ spring: port: 6379 r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_bc_gateway - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} initialization-mode: always cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} port: 8500 diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml b/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..9a23fc38c --- /dev/null +++ b/bc-gateway/bc-gateway-app/src/main/resources/application-local.yml @@ -0,0 +1,8 @@ +spring: + r2dbc: + url: r2dbc:postgresql://localhost:5438/opex_bc_gateway + username: ${dbusername} + password: ${dbpassword} + cloud: + consul: + host: localhost \ No newline at end of file diff --git a/bc-gateway/bc-gateway-app/src/main/resources/application.yml b/bc-gateway/bc-gateway-app/src/main/resources/application.yml index 11af09b06..19fc15ebe 100644 --- a/bc-gateway/bc-gateway-app/src/main/resources/application.yml +++ b/bc-gateway/bc-gateway-app/src/main/resources/application.yml @@ -19,6 +19,19 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: @@ -26,6 +39,8 @@ spring: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true + config: + import: vault://secret/${spring.application.name} logging: level: org.apache.kafka: DEBUG diff --git a/eventlog/eventlog-app/pom.xml b/eventlog/eventlog-app/pom.xml index 88084c14c..8d35db91e 100644 --- a/eventlog/eventlog-app/pom.xml +++ b/eventlog/eventlog-app/pom.xml @@ -47,8 +47,24 @@ co.nilin.opex.eventlog.ports.postgres eventlog-persister-postgres + + org.springframework.cloud + spring-cloud-starter-vault-config + + + + + org.springframework.cloud + spring-cloud-dependencies + ${spring-cloud.version} + pom + import + + + + diff --git a/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/eventlog/eventlog-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/eventlog/eventlog-app/src/main/resources/application-docker.yml b/eventlog/eventlog-app/src/main/resources/application-docker.yml index 5055b1c51..6507116a0 100644 --- a/eventlog/eventlog-app/src/main/resources/application-docker.yml +++ b/eventlog/eventlog-app/src/main/resources/application-docker.yml @@ -6,6 +6,9 @@ spring: group-id: eventlog r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_eventlog - username: opex - password: hiopex - initialization-mode: always \ No newline at end of file + username: ${dbusername} + password: ${dbpassword} + initialization-mode: always + cloud: + vault: + host: ${VAULT_HOST} \ No newline at end of file diff --git a/eventlog/eventlog-app/src/main/resources/application-local.yml b/eventlog/eventlog-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..a8582114d --- /dev/null +++ b/eventlog/eventlog-app/src/main/resources/application-local.yml @@ -0,0 +1,9 @@ +spring: + r2dbc: + url: r2dbc:postgresql://localhost:5434/opex_eventlog + username: ${dbusername} + password: ${dbpassword} + initialization-mode: always + cloud: + consul: + host: localhost \ No newline at end of file diff --git a/eventlog/eventlog-app/src/main/resources/application.yml b/eventlog/eventlog-app/src/main/resources/application.yml index 025ceaf4a..86b56d4eb 100644 --- a/eventlog/eventlog-app/src/main/resources/application.yml +++ b/eventlog/eventlog-app/src/main/resources/application.yml @@ -1,5 +1,7 @@ server.port: 8090 spring: + application: + name: opex-eventlog main: allow-circular-references: true kafka: @@ -10,4 +12,20 @@ spring: url: r2dbc:postgresql://localhost/opex_eventlog username: opex password: hiopex - initialization-mode: always \ No newline at end of file + initialization-mode: always + cloud: + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} + config: + import: vault://secret/${spring.application.name} \ No newline at end of file diff --git a/user-management/keycloak-gateway/pom.xml b/user-management/keycloak-gateway/pom.xml index a833d881c..f80f1048f 100644 --- a/user-management/keycloak-gateway/pom.xml +++ b/user-management/keycloak-gateway/pom.xml @@ -85,6 +85,20 @@ org.springframework.kafka spring-kafka + + org.springframework.cloud + spring-cloud-starter-vault-config + + org.springframework.kafka spring-kafka-test diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java new file mode 100644 index 000000000..735858fef --- /dev/null +++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProvider.java @@ -0,0 +1,52 @@ +package co.nilin.opex.auth.gateway.extension; + +import org.jboss.logging.Logger; +import org.keycloak.vault.DefaultVaultRawSecret; +import org.keycloak.vault.VaultProvider; +import org.keycloak.vault.VaultRawSecret; + +import java.util.Optional; + +/** + * HashicorpVaultProviderFactory + */ +public class HashicorpVaultProvider implements VaultProvider { + private static final Logger logger = Logger.getLogger(HashicorpVaultProviderFactory.class); + + private String vaultUrl; + private String vaultAppId; + private String vaultUserId; + private String realmName; + private String vaultSecretEngineName; + private VaultService service; + + @Override + public VaultRawSecret obtainSecret(String vaultSecretId) { + int secretVersion = 0; + String vaultSecretName = vaultSecretId; + if (vaultSecretId.contains(":")) { + try { + secretVersion = Integer.parseInt(vaultSecretId.substring(vaultSecretId.lastIndexOf(":") + 1)); + vaultSecretName = vaultSecretId.substring(0, vaultSecretId.lastIndexOf(":")); + } catch (NumberFormatException e) { + logger.error("last string after : is expected to be the version number"); + } + } + + return DefaultVaultRawSecret.forBuffer(Optional.of(service.getSecretFromVault(vaultUrl, realmName, vaultSecretEngineName, vaultSecretName, vaultAppId, vaultUserId, secretVersion))); + } + + @Override + public void close() { + } + + public HashicorpVaultProvider(String vaultUrl, String vaultAppId, String vaultUserId, String realmName, String vaultSecretEngineName, VaultService service) { + this.vaultUrl = vaultUrl; + this.vaultAppId = vaultAppId; + this.vaultUserId = vaultUserId; + this.realmName = realmName; + this.vaultSecretEngineName = vaultSecretEngineName; + this.service = service; + } + +} \ No newline at end of file diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java new file mode 100644 index 000000000..c546f1646 --- /dev/null +++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/HashicorpVaultProviderFactory.java @@ -0,0 +1,76 @@ +package co.nilin.opex.auth.gateway.extension; + +import org.jboss.logging.Logger; +import org.keycloak.Config.Scope; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.vault.VaultNotFoundException; +import org.keycloak.vault.VaultProvider; +import org.keycloak.vault.VaultProviderFactory; + +public class HashicorpVaultProviderFactory implements VaultProviderFactory { + private static final Logger logger = Logger.getLogger(HashicorpVaultProviderFactory.class); + + public static final String PROVIDER_ID = "hachicorp-vault"; + + private String vaultAppId; + private String vaultUserId; + private String vaultUrl; + private String vaultSecretEngineName; + + @Override + public VaultProvider create(KeycloakSession session) { + VaultService service = new VaultService(session); + if (!service.isVaultAvailable(vaultUrl, vaultAppId, vaultUserId)) { + logger.error("Vault unavailable : " + vaultUrl); + throw new VaultNotFoundException("Vault unavailable : " + vaultUrl); + } else { + logger.info("Vault available : " + vaultUrl); + } + return new HashicorpVaultProvider(vaultUrl, vaultAppId, vaultUserId, session.getContext().getRealm().getName(), vaultSecretEngineName, service); + + } + + private static String format(String url) { + if (!(url.charAt(url.length() - 1) == '/')) { + return url.concat("/"); + } else { + return url; + } + } + + @Override + public void init(Scope config) { + if (System.getenv("BACKEND_APP") != null) { + vaultAppId = System.getenv("BACKEND_APP"); + } else { + vaultAppId = config.get("appId"); + } + if (System.getenv("BACKEND_USER") != null) { + vaultUserId = System.getenv("BACKEND_USER"); + } else { + vaultUserId = config.get("userId"); + } + vaultUrl = config.get("url") != null ? format(config.get("url")) : null; + vaultSecretEngineName = config.get("engine-name"); + logger.info("Init Hashicorp: " + vaultUrl); + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + // TODO Auto-generated method stub + + } + + @Override + public void close() { + // TODO Auto-generated method stub + + } + + @Override + public String getId() { + return PROVIDER_ID; + } + +} diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java new file mode 100644 index 000000000..d6fe61a78 --- /dev/null +++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/auth/gateway/extension/VaultService.java @@ -0,0 +1,60 @@ +package co.nilin.opex.auth.gateway.extension; + +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.databind.JsonNode; +import org.jboss.logging.Logger; +import org.keycloak.broker.provider.util.SimpleHttp; +import org.keycloak.models.KeycloakSession; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; + +/** + * VaultService + */ +public class VaultService { + + private final KeycloakSession session; + private static final Logger logger = Logger.getLogger(VaultService.class); + + public VaultService(KeycloakSession session) { + this.session = session; + } + + static class UserId { + @JsonProperty("user_id") + public String userId; + + public UserId(String userId) { + this.userId = userId; + } + } + + public ByteBuffer getSecretFromVault(String vaultUrl, String realm, String vaultSecretEngineName, String secretName, String vaultAppId, String vaultUserId, int secretVersion) { + try { + //curl \ --method POST \ --data '{"user_id": ":user_id"}' \ http://127.0.0.1:8200/v1/auth/app-id/login/:app_id + String vaultToken = SimpleHttp.doPost(vaultUrl + "v1//auth/app-id/login/" + vaultAppId, session).json(new UserId(vaultUserId)).asJson().get("auth").get("client_token").textValue(); + JsonNode node = SimpleHttp.doGet(vaultUrl + "v1/" + vaultSecretEngineName + "/" + realm + "?version=" + secretVersion, session).header("X-Vault-Token", vaultToken).asJson(); + byte[] secretBytes = node.get("data").get(secretName).textValue().getBytes(StandardCharsets.UTF_8); + return ByteBuffer.wrap(secretBytes); + } catch (IOException e) { + logger.error("secret not available", e); + return null; + } + } + + public boolean isVaultAvailable(String vaultUrl, String vaultAppId, String vaultUserId) { + String healthVaultUrl = vaultUrl + "v1/sys/health"; + try { + JsonNode vaultHealthResponseNode = SimpleHttp.doGet(healthVaultUrl, session).asJson(); + boolean vaultIsInitialized = vaultHealthResponseNode.get("initialized").asBoolean(); + boolean vaultIsSealed = vaultHealthResponseNode.get("sealed").asBoolean(); + return (vaultIsInitialized && !vaultIsSealed); + } catch (IOException e) { + logger.error("vault service unavailable", e); + return false; + } + } + +} \ No newline at end of file diff --git a/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/user-management/keycloak-gateway/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json b/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json index 1058fe841..6c6b39cc1 100644 --- a/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json +++ b/user-management/keycloak-gateway/src/main/resources/META-INF/keycloak-server.json @@ -198,9 +198,15 @@ } }, "vault": { - "files-plaintext": { - "dir": "target/dependency/vault", - "enabled": "${keycloak.vault.files-plaintext.provider.enabled:false}" + "provider": "hachicorp-vault", + "default": { + "enabled": true + }, + "hachicorp-vault": { + "url": "${keycloak.hashicorp.url}", + "appId": "${spring.application.name}", + "engine-name": "secret", + "enabled": "${keycloak.vault.files-plaintext.provider.enabled:true}" } }, "saml-artifact-resolver": { diff --git a/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory b/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory new file mode 100644 index 000000000..38186ba6e --- /dev/null +++ b/user-management/keycloak-gateway/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory @@ -0,0 +1 @@ +co.nilin.opex.auth.gateway.extension.HashicorpVaultProviderFactory \ No newline at end of file diff --git a/user-management/keycloak-gateway/src/main/resources/application-docker.yml b/user-management/keycloak-gateway/src/main/resources/application-docker.yml index f52df428b..3c3eb5f92 100644 --- a/user-management/keycloak-gateway/src/main/resources/application-docker.yml +++ b/user-management/keycloak-gateway/src/main/resources/application-docker.yml @@ -3,9 +3,11 @@ spring: bootstrap-servers: ${KAFKA_IP_PORT} datasource: url: jdbc:postgresql://${DB_IP_PORT}/opex_auth - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} port: 8500 diff --git a/user-management/keycloak-gateway/src/main/resources/application-local.yml b/user-management/keycloak-gateway/src/main/resources/application-local.yml new file mode 100644 index 000000000..95232034a --- /dev/null +++ b/user-management/keycloak-gateway/src/main/resources/application-local.yml @@ -0,0 +1,12 @@ +spring: + kafka: + bootstrap-servers: localhost:9092 + datasource: + url: jdbc:postgresql://127.0.0.1:6435/opex_auth + username: opex + password: hiopex + cloud: + consul: + host: 127.0.0.1 + port: 8500 + diff --git a/user-management/keycloak-gateway/src/main/resources/application.yml b/user-management/keycloak-gateway/src/main/resources/application.yml index db3942635..9f0b97287 100644 --- a/user-management/keycloak-gateway/src/main/resources/application.yml +++ b/user-management/keycloak-gateway/src/main/resources/application.yml @@ -25,6 +25,19 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: @@ -32,6 +45,8 @@ spring: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true + config: + import: vault://secret/${spring.application.name} keycloak: server: contextPath: /auth @@ -48,3 +63,5 @@ keycloak: feature: admin_fine_grained_authz: enabled token_exchange: enabled + hashicorp: + url: ${VAULT_URL} diff --git a/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json b/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json index 259df44ab..146a5976d 100644 --- a/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json +++ b/user-management/keycloak-gateway/src/main/resources/opex-master-realm.json @@ -42,6 +42,6 @@ "from": "for.demo.purpose.only@opex.dev", "auth": true, "user": "for.demo.purpose.only@opex.dev", - "password": "642467973026C6F093FB1E39C4BFC0D15042" + "password": "${vault.smtppass}" } } \ No newline at end of file diff --git a/user-management/keycloak-gateway/src/main/resources/opex-realm.json b/user-management/keycloak-gateway/src/main/resources/opex-realm.json index 791115d4b..86f085983 100644 --- a/user-management/keycloak-gateway/src/main/resources/opex-realm.json +++ b/user-management/keycloak-gateway/src/main/resources/opex-realm.json @@ -1974,7 +1974,7 @@ "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, "smtpServer": { - "password": "642467973026C6F093FB1E39C4BFC0D15042", + "password": "${vault.smtppass}", "auth": "true", "port": "2525", "host": "smtp.elasticemail.com", diff --git a/user-management/pom.xml b/user-management/pom.xml index 6da9f3002..4b9529c91 100644 --- a/user-management/pom.xml +++ b/user-management/pom.xml @@ -10,8 +10,8 @@ - 2.4.4 - 2020.0.2 + 2.4.5 + 2020.0.3 co.nilin.opex.auth diff --git a/wallet/wallet-app/pom.xml b/wallet/wallet-app/pom.xml index 2890168aa..15350d553 100644 --- a/wallet/wallet-app/pom.xml +++ b/wallet/wallet-app/pom.xml @@ -99,6 +99,10 @@ json-smart 2.4.7 + + org.springframework.cloud + spring-cloud-starter-vault-config + diff --git a/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/wallet/wallet-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/wallet/wallet-app/src/main/resources/application-docker.yml b/wallet/wallet-app/src/main/resources/application-docker.yml index 72129f214..32de0c06b 100644 --- a/wallet/wallet-app/src/main/resources/application-docker.yml +++ b/wallet/wallet-app/src/main/resources/application-docker.yml @@ -9,10 +9,12 @@ spring: port: 6379 r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_wallet - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} initialization-mode: always cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} port: 8500 diff --git a/wallet/wallet-app/src/main/resources/application-local.yml b/wallet/wallet-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..0d0b0906b --- /dev/null +++ b/wallet/wallet-app/src/main/resources/application-local.yml @@ -0,0 +1,12 @@ +server.port: 8091 +spring: + kafka: + bootstrap-servers: localhost:9092 + redis: + host: 127.0.0.1 + port: 6379 + r2dbc: + url: r2dbc:postgresql://127.0.0.1:5436/opex_wallet + username: ${dbusername} + password: ${dbpassword} + initialization-mode: always \ No newline at end of file diff --git a/wallet/wallet-app/src/main/resources/application.yml b/wallet/wallet-app/src/main/resources/application.yml index 6b9be3fff..d89f4c3bf 100644 --- a/wallet/wallet-app/src/main/resources/application.yml +++ b/wallet/wallet-app/src/main/resources/application.yml @@ -20,6 +20,19 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: @@ -27,6 +40,8 @@ spring: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true + config: + import: vault://secret/${spring.application.name} app: gift: symbol: usdt diff --git a/websocket/websocket-app/pom.xml b/websocket/websocket-app/pom.xml index 16228b9ed..e64616340 100644 --- a/websocket/websocket-app/pom.xml +++ b/websocket/websocket-app/pom.xml @@ -71,6 +71,10 @@ co.nilin.opex.websocket.ports.postgres websocket-persister-postgres + + org.springframework.cloud + spring-cloud-starter-vault-config + io.projectreactor reactor-test diff --git a/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt new file mode 100644 index 000000000..e9efaf92a --- /dev/null +++ b/websocket/websocket-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt @@ -0,0 +1,9 @@ +package co.nilin.opex.util.vault + +import org.springframework.vault.authentication.AppIdUserIdMechanism + +class VaultUserIdMechanism() : AppIdUserIdMechanism { + override fun createUserId(): String { + return System.getenv("BACKEND_USER") + } +} \ No newline at end of file diff --git a/websocket/websocket-app/src/main/resources/application-docker.yml b/websocket/websocket-app/src/main/resources/application-docker.yml index b1d77a0de..1125c565d 100644 --- a/websocket/websocket-app/src/main/resources/application-docker.yml +++ b/websocket/websocket-app/src/main/resources/application-docker.yml @@ -5,9 +5,11 @@ spring: host: ${REDIS_HOST} r2dbc: url: r2dbc:postgresql://${DB_IP_PORT}/opex_api - username: opex - password: hiopex + username: ${dbusername} + password: ${dbpassword} cloud: + vault: + host: ${VAULT_HOST} consul: host: ${CONSUL_HOST} port: 8500 diff --git a/websocket/websocket-app/src/main/resources/application-local.yml b/websocket/websocket-app/src/main/resources/application-local.yml new file mode 100644 index 000000000..902453ec5 --- /dev/null +++ b/websocket/websocket-app/src/main/resources/application-local.yml @@ -0,0 +1,5 @@ +spring: + r2dbc: + url: r2dbc:postgresql://localhost:5437/opex_api + username: ${dbusername} + password: ${dbpassword} \ No newline at end of file diff --git a/websocket/websocket-app/src/main/resources/application.yml b/websocket/websocket-app/src/main/resources/application.yml index a7a77a392..147c26f04 100644 --- a/websocket/websocket-app/src/main/resources/application.yml +++ b/websocket/websocket-app/src/main/resources/application.yml @@ -18,12 +18,27 @@ spring: cloud: bootstrap: enabled: true + vault: + host: localhost + port: 8200 + scheme: http + authentication: APPID + app-id: + user-id: co.nilin.opex.util.vault.VaultUserIdMechanism + fail-fast: true + kv: + enabled: true + backend: secret + profile-separator: '/' + application-name: ${spring.application.name} consul: port: 8500 discovery: instance-id: ${spring.application.name}:${server.port} healthCheckInterval: 20s prefer-ip-address: true + config: + import: vault://secret/${spring.application.name} app: auth: cert-url: http://localhost:8083/auth/realms/opex/protocol/openid-connect/certs \ No newline at end of file From 945133336dc35da0163ec139749ed8294b7ff5bc Mon Sep 17 00:00:00 2001 From: maryarm Date: Sat, 5 Feb 2022 09:39:54 +0100 Subject: [PATCH 2/2] #189: A bit cleaning in the configs to remove useless files/redundant variables --- Deployment/docker-compose-vault.yml | 33 ----------------------------- Deployment/docker-compose.yml | 2 -- 2 files changed, 35 deletions(-) delete mode 100644 Deployment/docker-compose-vault.yml diff --git a/Deployment/docker-compose-vault.yml b/Deployment/docker-compose-vault.yml deleted file mode 100644 index eba60f09d..000000000 --- a/Deployment/docker-compose-vault.yml +++ /dev/null @@ -1,33 +0,0 @@ -version: '3.8' -services: - vault: - image: vault - ports: - - "127.0.0.1:8200:8200" - volumes: - - $DATA/vault:/vault/file:rw - - $PWD/vault/config:/vault/config:rw - environment: - - VAULT_ADDR=http://0.0.0.0:8200 - - VAULT_API_ADDR=http://0.0.0.0:8200 - - VAULT_ADDRESS=http://0.0.0.0:8200 - - PANEL_PASS=${PANEL_PASS} - - BACKEND_USER=${BACKEND_USER} - - SMTP_PASS=${SMTP_PASS} - - DB_USER=${DB_USER} - - DB_PASS=${DB_PASS} - healthcheck: - retries: 5 - cap_add: - - IPC_LOCK - entrypoint: /vault/config/workflow-vault.sh - vault-ui: - image: djenriquez/vault-ui - ports: - - "127.0.0.1:8000:8000" - environment: - - VAULT_URL_DEFAULT=http://vault:8200 - - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD -networks: - opex: - driver: bridge diff --git a/Deployment/docker-compose.yml b/Deployment/docker-compose.yml index 6c5ca9479..1765ffe69 100644 --- a/Deployment/docker-compose.yml +++ b/Deployment/docker-compose.yml @@ -75,8 +75,6 @@ services: - $DATA/vault:/vault/file:rw - $PWD/vault/config:/vault/config:rw environment: - - VAULT_ADDR=http://0.0.0.0:8200 - - VAULT_API_ADDR=http://0.0.0.0:8200 - VAULT_ADDRESS=http://0.0.0.0:8200 - PANEL_PASS=${PANEL_PASS} - BACKEND_USER=${BACKEND_USER}