diff --git a/Jenkinsfile b/Jenkinsfile
index 75ff7728a..84e1f7984 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -21,9 +21,11 @@ pipeline {
DB_USER = 'opex'
DB_PASS = credentials("db-secret")
DB_BACKUP_USER = 'opex_backup'
- DB_BACKUP_PASSWORD = credentials("db-backup-secret")
+ DB_BACKUP_PASS = credentials("db-backup-secret")
KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev/auth'
KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev/auth'
+ KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username")
+ KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password")
COMPOSE_PROJECT_NAME = 'demo-core'
DEFAULT_NETWORK_NAME = 'demo-opex'
}
diff --git a/admin/admin-app/pom.xml b/admin/admin-app/pom.xml
index a049dbef8..3b6652038 100644
--- a/admin/admin-app/pom.xml
+++ b/admin/admin-app/pom.xml
@@ -73,6 +73,10 @@
co.nilin.opex.utility.log
logging-handler
+
+ org.springframework.cloud
+ spring-cloud-starter-vault-config
+
diff --git a/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+ override fun createUserId(): String {
+ return System.getenv("BACKEND_USER")
+ }
+}
\ No newline at end of file
diff --git a/admin/admin-app/src/main/resources/application.yml b/admin/admin-app/src/main/resources/application.yml
index f47cab0d4..1218ec694 100644
--- a/admin/admin-app/src/main/resources/application.yml
+++ b/admin/admin-app/src/main/resources/application.yml
@@ -16,6 +16,21 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
+ vault:
+ host: ${VAULT_HOST}
+ port: 8200
+ scheme: http
+ authentication: APPID
+ app-id:
+ user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+ fail-fast: true
+ kv:
+ enabled: true
+ backend: secret
+ profile-separator: '/'
+ application-name: ${spring.application.name}
+ config:
+ import: vault://secret/${spring.application.name}
app:
auth:
cert-url: lb://opex-auth/auth/realms/opex/protocol/openid-connect/certs
@@ -23,4 +38,4 @@ app:
url: http://auth:8080/auth
realm: opex
client-id: opex-admin
- client-secret: ${KEYCLOAK_CLIENT_SECRET:secret}
\ No newline at end of file
+ client-secret: ${keycloak_client_secret:secret}
diff --git a/dev.Jenkinsfile b/dev.Jenkinsfile
index 3a0dada0a..362cb2cb0 100644
--- a/dev.Jenkinsfile
+++ b/dev.Jenkinsfile
@@ -21,9 +21,11 @@ pipeline {
DB_USER = 'opex'
DB_PASS = credentials("db-secret-dev")
DB_BACKUP_USER = 'opex_backup'
- DB_BACKUP_PASSWORD = credentials("db-backup-secret-dev")
+ DB_BACKUP_PASS = credentials("db-backup-secret-dev")
KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev:8443/auth'
KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev:8443/auth'
+ KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username-dev")
+ KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password-dev")
COMPOSE_PROJECT_NAME = 'dev-core'
DEFAULT_NETWORK_NAME = 'dev-opex'
}
diff --git a/docker-compose.yml b/docker-compose.yml
index b3261dca7..5cc2fd627 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -104,8 +104,11 @@ services:
- SMTP_PASS=${SMTP_PASS}
- DB_USER=${DB_USER:-opex}
- DB_PASS=${DB_PASS:-hiopex}
- - DB_BACKUP_USER=${DB_USER:-opex_backup}
- - DB_BACKUP_PASS=${DB_PASS:-hiopex}
+ - DB_BACKUP_USER=${DB_BACKUP_USER:-opex_backup}
+ - DB_BACKUP_PASS=${DB_BACKUP_PASS:-hiopex}
+ - KEYCLOAK_ADMIN_USERNAME=${KEYCLOAK_ADMIN_USERNAME:-opex-admin}
+ - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-hiopex}
+ - VANDAR_API_KEY=$VANDAR_API_KEY
healthcheck:
retries: 5
cap_add:
@@ -450,7 +453,7 @@ services:
- JAVA_OPTS=-Xmx256m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
- KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
- CONSUL_HOST=consul
- - KEYCLOAK_CLIENT_SECRET=${ADMIN_KEYCLOAK_CLIENT_SECRET} # transfer to vault
+ - VAULT_HOST=vault
volumes:
- $DATA/admin-data:/admin
depends_on:
diff --git a/resources/vault/workflow-vault.sh b/resources/vault/workflow-vault.sh
index b877919dd..056b26ddc 100755
--- a/resources/vault/workflow-vault.sh
+++ b/resources/vault/workflow-vault.sh
@@ -57,8 +57,11 @@ vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_na
vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
+vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
+vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
+vault write auth/app-id/map/app-id/opex-chain-scan-gateway value=backend-policy display_name=opex-chain-scan-gateway
echo 'enable user-id'
-vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway
+vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,opex-chain-scan-gateway
echo 'check login appid'
vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
@@ -67,19 +70,24 @@ vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-chain-scan-gateway user_id=${BACKEND_USER}
#
## Add secret values
echo 'put key/value'
vault kv put secret/opex smtppass=${SMTP_PASS}
-vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}
-
+vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD} keycloak_client_secret=replace_with_actual_secret
+vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
+vault kv put secret/opex-admin keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}
+vault kv put secret/opex-chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
# Keep alive
while pidof vault >/dev/null; do
diff --git a/user-management/keycloak-gateway/src/main/resources/application.yml b/user-management/keycloak-gateway/src/main/resources/application.yml
index fca91b09f..049cb7028 100644
--- a/user-management/keycloak-gateway/src/main/resources/application.yml
+++ b/user-management/keycloak-gateway/src/main/resources/application.yml
@@ -54,8 +54,8 @@ keycloak:
server:
contextPath: /auth
adminUser:
- username: opex-admin
- password: hiopex
+ username: ${admin_username:opex-admin}
+ password: ${admin_password:hiopex}
realmImportFile: /opex-realm.json
migration:
action: import
@@ -67,4 +67,4 @@ keycloak:
admin_fine_grained_authz: enabled
token_exchange: enabled
hashicorp:
- url: ${VAULT_URL}
\ No newline at end of file
+ url: ${VAULT_URL}