#189: Add Hashicorp Vault as db credential source, smtp password is a…

Deployment/docker-compose.dev.yml

@@ -22,6 +22,16 @@ services:
     environment:
       - KAFKA_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092
       - KAFKA_ADVERTISED_LISTENERS=CLIENT://kafka-3:29092,EXTERNAL://kafka-3:9092
+  vault:
+    ports:
+      - "127.0.0.1:8201:8200"
+    networks:
+      - opex-dev
+  vault-ui:
+    ports:
+      - "127.0.0.1:8001:8000"
+    networks:
+      - opex-dev
   consul:
     ports:
       - '127.0.0.1:8501:8500'

Deployment/docker-compose.override.yml

@@ -13,6 +13,16 @@ services:
   kafka-3:
     networks:
       - opex
+  vault:
+    ports:
+      - "127.0.0.1:8200:8200"
+    networks:
+      - opex
+  vault-ui:
+    ports:
+      - "127.0.0.1:8000:8000"
+    networks:
+      - opex
   consul:
     ports:
       - '127.0.0.1:8500:8500'

Deployment/docker-compose.yml

@@ -69,6 +69,28 @@ services:
     deploy:
       restart_policy:
         condition: on-failure
+  vault:
+    image: vault
+    volumes:
+      - $DATA/vault:/vault/file:rw
+      - $PWD/vault/config:/vault/config:rw
+    environment:
+      - VAULT_ADDRESS=http://0.0.0.0:8200
+      - PANEL_PASS=${PANEL_PASS}
+      - BACKEND_USER=${BACKEND_USER}
+      - SMTP_PASS=${SMTP_PASS}
+      - DB_USER=${DB_USER}
+      - DB_PASS=${DB_PASS}
+    healthcheck:
+      retries: 5
+    cap_add:
+      - IPC_LOCK
+    entrypoint: /vault/config/workflow-vault.sh
+  vault-ui:
+    image: djenriquez/vault-ui
+    environment:
+      - VAULT_URL_DEFAULT=http://vault:8200
+      - VAULT_AUTH_DEFAULT=USERNAMEPASSWORD
   consul:
     image: 'consul'
     environment:
@@ -172,11 +194,14 @@ services:
       - REDIS_HOST=redis
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-accountant
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - redis
       - consul
+      - vault
       - postgres-accountant
   eventlog:
     build:
@@ -189,13 +214,16 @@ services:
       - REDIS_HOST=redis
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-eventlog
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - kafka-2
       - kafka-3
       - redis
       - consul
+      - vault
       - postgres-eventlog
   matching-engine:
     build:
@@ -241,13 +269,17 @@ services:
       - DB_IP_PORT=postgres-auth
       - PROXY_ADDRESS_FORWARDING=true
       - WORKING_DIR=$DATA
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_URL=http://vault:8200
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - kafka-2
       - kafka-3
       - redis
       - consul
+      - vault
       - postgres-auth
     deploy:
       restart_policy:
@@ -263,13 +295,16 @@ services:
       - REDIS_HOST=redis
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-wallet
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - kafka-2
       - kafka-3
       - redis
       - consul
+      - vault
       - postgres-wallet
     deploy:
       restart_policy:
@@ -285,13 +320,16 @@ services:
       - REDIS_HOST=redis
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-api
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - kafka-2
       - kafka-3
       - redis
       - consul
+      - vault
       - postgres-api
     deploy:
       restart_policy:
@@ -306,12 +344,15 @@ services:
       - KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-api
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_HOST=vault
     depends_on:
       - zookeeper
       - kafka-1
       - kafka-2
       - kafka-3
       - consul
+      - vault
       - postgres-api
     deploy:
       restart_policy:
@@ -327,11 +368,14 @@ services:
       - REDIS_HOST=redis
       - CONSUL_HOST=consul
       - DB_IP_PORT=postgres-bc-gateway
+      - BACKEND_USER=${BACKEND_USER}
+      - VAULT_URL=http://vault:8200
     depends_on:
       - zookeeper
       - kafka-1
       - redis
       - consul
+      - vault
       - postgres-bc-gateway
     deploy:
       restart_policy:

Deployment/vault/config/backend-policy.hcl

@@ -0,0 +1,26 @@
+path "kv/*" {
+  capabilities = ["read"]
+}
+
+path "secret/*" {
+  capabilities = ["read"]
+}
+
+path "secret/opex/" {
+  capabilities = ["read"]
+}
+
+path "secret/opex-wallet/" {
+  capabilities = ["read"]
+}
+
+path "sys/mounts" {
+  capabilities = ["read"]
+}
+
+path "sys/auth" {
+  capabilities = ["read"]
+}
+
+
+

Deployment/vault/config/panel-policy.hcl

@@ -0,0 +1,27 @@
+path "kv/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/opex/" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/opex-wallet/" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+
+path "sys/mounts" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "sys/auth" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+
+

Deployment/vault/config/vault.json

@@ -0,0 +1,16 @@
+{
+  "listener": {
+    "tcp": {
+      "address": "0.0.0.0:8200",
+      "tls_disable": "true"
+    }
+  },
+  "backend": {
+    "file": {
+      "path": "/vault/file"
+    }
+  },
+  "default_lease_ttl": "168h",
+  "max_lease_ttl": "0h",
+  "api_addr": "http://0.0.0.0:8200"
+}

Deployment/vault/config/workflow-vault.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+vault server -config /vault/config/vault.json &
+
+## Export values
+export VAULT_ADDR='http://0.0.0.0:8200'
+export VAULT_SKIP_VERIFY='true'
+
+#
+sleep 10
+
+if [ ! -f /vault/file/generated_keys.txt ]; then
+    echo "Vault init"
+    vault operator init > /vault/file/generated_keys.txt
+fi
+echo "Generated Keys:"
+cat /vault/file/generated_keys.txt
+## Parse unsealed keys
+(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt
+
+echo "Keys:"
+cat /vault/file/keys.txt
+
+while IFS= read -r line; do
+    echo "Key read from file: $line"
+    vault operator unseal $line
+done < /vault/file/keys.txt
+#
+## Get root token
+(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
+while IFS= read -r line; do
+    echo "Root token read from file: $line"
+    export VAULT_TOKEN=${line}
+done < /vault/file/tokens.txt
+## Enable kv
+echo 'enable kv'
+vault secrets enable -path=secret -version=1 kv
+## Enable userpass and add default user
+echo 'enable userpass and add default user'
+vault auth enable userpass
+echo 'enable panel policies'
+vault policy write panel-policy /vault/config/panel-policy.hcl
+echo 'set password '
+echo ${PANEL_PASS}
+vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy
+echo 'check login user/pass'
+vault login -method=userpass username=admin password=${PANEL_PASS}
+
+echo 'enable appid and add default user-id'
+vault auth enable app-id
+echo 'enable backend policies'
+vault policy write backend-policy /vault/config/backend-policy.hcl
+echo 'enable backend apps'
+vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
+vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
+vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
+vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
+vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
+vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
+vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
+echo 'enable user-id'
+vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway
+echo 'check login appid'
+vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
+
+#
+## Add secret values
+echo 'put key/value'
+vault kv put secret/opex smtppass=${SMTP_PASS}
+vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}
+
+
+# Keep alive
+while pidof vault >/dev/null; do
+  sleep 10
+done

Jenkins/Jenkinsfile.deploy.dev.groovy

@@ -15,6 +15,11 @@ pipeline {
         stage('Deliver') {
             environment {
                 DATA = '/var/opex/runtime-dev'
+                PANEL_PASS = credentials("v-panel-secret-dev")
+                BACKEND_USER = credentials("v-backend-secret-dev")
+                SMTP_PASS= credentials("smtp-secret-dev")
+                DB_USER='opex'
+                DB_PASS=credentials("db-secret-dev")
             }
             steps {
                 dir("Deployment") {

Jenkins/Jenkinsfile.deploy.groovy

@@ -15,6 +15,11 @@ pipeline {
         stage('Deliver') {
             environment {
                 DATA = '/var/opex/runtime'
+                PANEL_PASS = credentials("v-panel-secret")
+                BACKEND_USER = credentials("v-backend-secret")
+                SMTP_PASS= credentials("smtp-secret")
+                DB_USER='opex'
+                DB_PASS=credentials("db-secret")
             }
             steps {
                 dir("Deployment") {

accountant/accountant-app/pom.xml

@@ -55,6 +55,10 @@
             <groupId>co.nilin.opex.utility.log</groupId>
             <artifactId>logging-handler</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-vault-config</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

accountant/accountant-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt

@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+    override fun createUserId(): String {
+        return System.getenv("BACKEND_USER")
+    }
+}

accountant/accountant-app/src/main/resources/application-docker.yml

@@ -5,9 +5,11 @@ spring:
     host: ${REDIS_HOST}
   r2dbc:
     url: r2dbc:postgresql://${DB_IP_PORT}/opex_accountant
-    username: opex
-    password: hiopex
+    username: ${dbusername}
+    password: ${dbpassword}
   cloud:
+    vault:
+      host: ${VAULT_HOST}
     consul:
       host: ${CONSUL_HOST}
   main: