From 07767758dc1d2757d7f751a475ad22b093694ae4 Mon Sep 17 00:00:00 2001
From: metalicn20 <metalicn20@gmail.com>
Date: Wed, 23 Feb 2022 11:58:33 +0330
Subject: [PATCH 1/4] Add external scopes to vault

---
 Jenkinsfile                                        |  2 ++
 admin/admin-app/src/main/resources/application.yml |  2 +-
 dev.Jenkinsfile                                    |  2 ++
 docker-compose.yml                                 |  2 +-
 resources/vault/workflow-vault.sh                  | 14 +++++++++++---
 .../src/main/resources/application.yml             |  6 +++---
 6 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 75ff7728a..0bcc34b5c 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -24,6 +24,8 @@ pipeline {
                 DB_BACKUP_PASSWORD = credentials("db-backup-secret")
                 KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev/auth'
                 KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev/auth'
+                ADMIN_USERNAME = credentials("keycloak-admin-username")
+                ADMIN_PASSWORD = credentials("keycloak-admin-password")
                 COMPOSE_PROJECT_NAME = 'demo-core'
                 DEFAULT_NETWORK_NAME = 'demo-opex'
             }
diff --git a/admin/admin-app/src/main/resources/application.yml b/admin/admin-app/src/main/resources/application.yml
index f47cab0d4..b5432edfe 100644
--- a/admin/admin-app/src/main/resources/application.yml
+++ b/admin/admin-app/src/main/resources/application.yml
@@ -23,4 +23,4 @@ app:
       url: http://auth:8080/auth
       realm: opex
       client-id: opex-admin
-      client-secret: ${KEYCLOAK_CLIENT_SECRET:secret}
\ No newline at end of file
+      client-secret: ${keycloak_client_secret:secret}
diff --git a/dev.Jenkinsfile b/dev.Jenkinsfile
index 3a0dada0a..1d48bb277 100644
--- a/dev.Jenkinsfile
+++ b/dev.Jenkinsfile
@@ -24,6 +24,8 @@ pipeline {
                 DB_BACKUP_PASSWORD = credentials("db-backup-secret-dev")
                 KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev:8443/auth'
                 KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev:8443/auth'
+                ADMIN_USERNAME = credentials("keycloak-admin-username-dev")
+                ADMIN_PASSWORD = credentials("keycloak-admin-password-dev")
                 COMPOSE_PROJECT_NAME = 'dev-core'
                 DEFAULT_NETWORK_NAME = 'dev-opex'
             }
diff --git a/docker-compose.yml b/docker-compose.yml
index b3261dca7..74b35ad6f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -106,6 +106,7 @@ services:
       - DB_PASS=${DB_PASS:-hiopex}
       - DB_BACKUP_USER=${DB_USER:-opex_backup}
       - DB_BACKUP_PASS=${DB_PASS:-hiopex}
+      - VANDAR_API_KEY=$VANDAR_API_KEY
     healthcheck:
       retries: 5
     cap_add:
@@ -450,7 +451,6 @@ services:
       - JAVA_OPTS=-Xmx256m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
       - KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
       - CONSUL_HOST=consul
-      - KEYCLOAK_CLIENT_SECRET=${ADMIN_KEYCLOAK_CLIENT_SECRET} # transfer to vault
     volumes:
       - $DATA/admin-data:/admin
     depends_on:
diff --git a/resources/vault/workflow-vault.sh b/resources/vault/workflow-vault.sh
index b877919dd..8a305c143 100755
--- a/resources/vault/workflow-vault.sh
+++ b/resources/vault/workflow-vault.sh
@@ -57,8 +57,11 @@ vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_na
 vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
 vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
 vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
+vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
+vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
+vault write auth/app-id/map/app-id/opex-chain-scan-gateway value=backend-policy display_name=opex-chain-scan-gateway
 echo 'enable user-id'
-vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway
+vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,opex-chain-scan-gateway
 echo 'check login appid'
 vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
 vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
@@ -67,6 +70,9 @@ vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
 vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
 vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
 vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
+vault write auth/app-id/login/opex-chain-scan-gateway user_id=${BACKEND_USER}
 
 #
 ## Add secret values
@@ -76,10 +82,12 @@ vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
 vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
 vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
 vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS}
+vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${ADMIN_USERNAME} admin_password=${ADMIN_PASSWORD} keycloak_client_secret=replace_with_actual_secret
 vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
 vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}
-
+vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} vandar_api_key=${VANDAR_API_KEY}
+vault kv put secret/opex-admin keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}
+vault kv put secret/opex-chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
 
 # Keep alive
 while pidof vault >/dev/null; do
diff --git a/user-management/keycloak-gateway/src/main/resources/application.yml b/user-management/keycloak-gateway/src/main/resources/application.yml
index fca91b09f..049cb7028 100644
--- a/user-management/keycloak-gateway/src/main/resources/application.yml
+++ b/user-management/keycloak-gateway/src/main/resources/application.yml
@@ -54,8 +54,8 @@ keycloak:
   server:
     contextPath: /auth
     adminUser:
-      username: opex-admin
-      password: hiopex
+      username: ${admin_username:opex-admin}
+      password: ${admin_password:hiopex}
     realmImportFile: /opex-realm.json
   migration:
     action: import
@@ -67,4 +67,4 @@ keycloak:
       admin_fine_grained_authz: enabled
       token_exchange: enabled
   hashicorp:
-    url: ${VAULT_URL}
\ No newline at end of file
+    url: ${VAULT_URL}

From c2530225ddc4a3dae00acbc87b0705eb90aaae01 Mon Sep 17 00:00:00 2001
From: metalicn20 <metalicn20@gmail.com>
Date: Wed, 23 Feb 2022 12:34:11 +0330
Subject: [PATCH 2/4] vault: Add database backup user secrets

---
 docker-compose.yml                |  6 ++++--
 resources/vault/workflow-vault.sh | 16 ++++++++--------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 74b35ad6f..e68b3272d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -104,8 +104,10 @@ services:
       - SMTP_PASS=${SMTP_PASS}
       - DB_USER=${DB_USER:-opex}
       - DB_PASS=${DB_PASS:-hiopex}
-      - DB_BACKUP_USER=${DB_USER:-opex_backup}
-      - DB_BACKUP_PASS=${DB_PASS:-hiopex}
+      - DB_BACKUP_USER=${DB_BACKUP_USER:-opex_backup}
+      - DB_BACKUP_PASS=${DB_BACKUP_PASS:-hiopex}
+      - KEYCLOAK_ADMIN_USERNAME=${KEYCLOAK_ADMIN_USERNAME:-opex-admin}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-hiopex}
       - VANDAR_API_KEY=$VANDAR_API_KEY
     healthcheck:
       retries: 5
diff --git a/resources/vault/workflow-vault.sh b/resources/vault/workflow-vault.sh
index 8a305c143..056b26ddc 100755
--- a/resources/vault/workflow-vault.sh
+++ b/resources/vault/workflow-vault.sh
@@ -78,14 +78,14 @@ vault write auth/app-id/login/opex-chain-scan-gateway user_id=${BACKEND_USER}
 ## Add secret values
 echo 'put key/value'
 vault kv put secret/opex smtppass=${SMTP_PASS}
-vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${ADMIN_USERNAME} admin_password=${ADMIN_PASSWORD} keycloak_client_secret=replace_with_actual_secret
-vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} vandar_api_key=${VANDAR_API_KEY}
+vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD} keycloak_client_secret=replace_with_actual_secret
+vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
+vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
 vault kv put secret/opex-admin keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}
 vault kv put secret/opex-chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
 

From d68594c67f311c8305b3ad7abfd3b1d5e0f6082c Mon Sep 17 00:00:00 2001
From: metalicn20 <metalicn20@gmail.com>
Date: Wed, 23 Feb 2022 12:35:56 +0330
Subject: [PATCH 3/4] Jenkins: Fix keycloak env values

---
 Jenkinsfile     | 6 +++---
 dev.Jenkinsfile | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 0bcc34b5c..84e1f7984 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -21,11 +21,11 @@ pipeline {
                 DB_USER = 'opex'
                 DB_PASS = credentials("db-secret")
                 DB_BACKUP_USER = 'opex_backup'
-                DB_BACKUP_PASSWORD = credentials("db-backup-secret")
+                DB_BACKUP_PASS = credentials("db-backup-secret")
                 KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev/auth'
                 KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev/auth'
-                ADMIN_USERNAME = credentials("keycloak-admin-username")
-                ADMIN_PASSWORD = credentials("keycloak-admin-password")
+                KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username")
+                KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password")
                 COMPOSE_PROJECT_NAME = 'demo-core'
                 DEFAULT_NETWORK_NAME = 'demo-opex'
             }
diff --git a/dev.Jenkinsfile b/dev.Jenkinsfile
index 1d48bb277..362cb2cb0 100644
--- a/dev.Jenkinsfile
+++ b/dev.Jenkinsfile
@@ -21,11 +21,11 @@ pipeline {
                 DB_USER = 'opex'
                 DB_PASS = credentials("db-secret-dev")
                 DB_BACKUP_USER = 'opex_backup'
-                DB_BACKUP_PASSWORD = credentials("db-backup-secret-dev")
+                DB_BACKUP_PASS = credentials("db-backup-secret-dev")
                 KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev:8443/auth'
                 KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev:8443/auth'
-                ADMIN_USERNAME = credentials("keycloak-admin-username-dev")
-                ADMIN_PASSWORD = credentials("keycloak-admin-password-dev")
+                KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username-dev")
+                KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password-dev")
                 COMPOSE_PROJECT_NAME = 'dev-core'
                 DEFAULT_NETWORK_NAME = 'dev-opex'
             }

From 2ecd1934d8ee0e3f72a97e65b894baf4e51e6e2e Mon Sep 17 00:00:00 2001
From: metalicn20 <metalicn20@gmail.com>
Date: Wed, 23 Feb 2022 13:04:33 +0330
Subject: [PATCH 4/4] admin: Add spring cloud vault config

---
 admin/admin-app/pom.xml                           |  4 ++++
 .../nilin/opex/util/vault/VaultUserIdMechanism.kt |  9 +++++++++
 .../admin-app/src/main/resources/application.yml  | 15 +++++++++++++++
 docker-compose.yml                                |  1 +
 4 files changed, 29 insertions(+)
 create mode 100644 admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt

diff --git a/admin/admin-app/pom.xml b/admin/admin-app/pom.xml
index a049dbef8..3b6652038 100644
--- a/admin/admin-app/pom.xml
+++ b/admin/admin-app/pom.xml
@@ -73,6 +73,10 @@
             <groupId>co.nilin.opex.utility.log</groupId>
             <artifactId>logging-handler</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-vault-config</artifactId>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>
diff --git a/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt b/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
new file mode 100644
index 000000000..e9efaf92a
--- /dev/null
+++ b/admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
@@ -0,0 +1,9 @@
+package co.nilin.opex.util.vault
+
+import org.springframework.vault.authentication.AppIdUserIdMechanism
+
+class VaultUserIdMechanism() : AppIdUserIdMechanism {
+    override fun createUserId(): String {
+        return System.getenv("BACKEND_USER")
+    }
+}
\ No newline at end of file
diff --git a/admin/admin-app/src/main/resources/application.yml b/admin/admin-app/src/main/resources/application.yml
index b5432edfe..1218ec694 100644
--- a/admin/admin-app/src/main/resources/application.yml
+++ b/admin/admin-app/src/main/resources/application.yml
@@ -16,6 +16,21 @@ spring:
         instance-id: ${spring.application.name}:${server.port}
         healthCheckInterval: 20s
         prefer-ip-address: true
+    vault:
+      host: ${VAULT_HOST}
+      port: 8200
+      scheme: http
+      authentication: APPID
+      app-id:
+        user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
+      fail-fast: true
+      kv:
+        enabled: true
+        backend: secret
+        profile-separator: '/'
+        application-name: ${spring.application.name}
+  config:
+    import: vault://secret/${spring.application.name}
 app:
   auth:
     cert-url: lb://opex-auth/auth/realms/opex/protocol/openid-connect/certs
diff --git a/docker-compose.yml b/docker-compose.yml
index e68b3272d..5cc2fd627 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -453,6 +453,7 @@ services:
       - JAVA_OPTS=-Xmx256m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
       - KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
       - CONSUL_HOST=consul
+      - VAULT_HOST=vault
     volumes:
       - $DATA/admin-data:/admin
     depends_on: