Skip to content

Close #208, Update vault use cases #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ebrahimmfadae merged 4 commits into from
Feb 23, 2022
Merged

Close #208, Update vault use cases #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0776775
Add external scopes to vault
ebrahimmfadae Feb 23, 2022
c253022
vault: Add database backup user secrets
ebrahimmfadae Feb 23, 2022
d68594c
Jenkins: Fix keycloak env values
ebrahimmfadae Feb 23, 2022
2ecd193
admin: Add spring cloud vault config
ebrahimmfadae Feb 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,11 @@ pipeline {
DB_USER = 'opex'
DB_PASS = credentials("db-secret")
DB_BACKUP_USER = 'opex_backup'
DB_BACKUP_PASSWORD = credentials("db-backup-secret")
DB_BACKUP_PASS = credentials("db-backup-secret")
KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev/auth'
KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev/auth'
KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username")
KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password")
COMPOSE_PROJECT_NAME = 'demo-core'
DEFAULT_NETWORK_NAME = 'demo-opex'
}
Expand Down
4 changes: 4 additions & 0 deletions admin/admin-app/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@
<groupId>co.nilin.opex.utility.log</groupId>
<artifactId>logging-handler</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
</dependencies>

<dependencyManagement>
Expand Down
9 changes: 9 additions & 0 deletions admin/admin-app/src/main/kotlin/co/nilin/opex/util/vault/VaultUserIdMechanism.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package co.nilin.opex.util.vault

import org.springframework.vault.authentication.AppIdUserIdMechanism

class VaultUserIdMechanism() : AppIdUserIdMechanism {
override fun createUserId(): String {
return System.getenv("BACKEND_USER")
}
}
17 changes: 16 additions & 1 deletion admin/admin-app/src/main/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,26 @@ spring:
instance-id: ${spring.application.name}:${server.port}
healthCheckInterval: 20s
prefer-ip-address: true
vault:
host: ${VAULT_HOST}
port: 8200
scheme: http
authentication: APPID
app-id:
user-id: co.nilin.opex.util.vault.VaultUserIdMechanism
fail-fast: true
kv:
enabled: true
backend: secret
profile-separator: '/'
application-name: ${spring.application.name}
config:
import: vault://secret/${spring.application.name}
app:
auth:
cert-url: lb://opex-auth/auth/realms/opex/protocol/openid-connect/certs
keycloak:
url: http://auth:8080/auth
realm: opex
client-id: opex-admin
client-secret: ${KEYCLOAK_CLIENT_SECRET:secret}
client-secret: ${keycloak_client_secret:secret}
4 changes: 3 additions & 1 deletion dev.Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,11 @@ pipeline {
DB_USER = 'opex'
DB_PASS = credentials("db-secret-dev")
DB_BACKUP_USER = 'opex_backup'
DB_BACKUP_PASSWORD = credentials("db-backup-secret-dev")
DB_BACKUP_PASS = credentials("db-backup-secret-dev")
KEYCLOAK_ADMIN_URL = 'https://demo.opex.dev:8443/auth'
KEYCLOAK_FRONTEND_URL = 'https://demo.opex.dev:8443/auth'
KEYCLOAK_ADMIN_USERNAME = credentials("keycloak-admin-username-dev")
KEYCLOAK_ADMIN_PASSWORD = credentials("keycloak-admin-password-dev")
COMPOSE_PROJECT_NAME = 'dev-core'
DEFAULT_NETWORK_NAME = 'dev-opex'
}
Expand Down
9 changes: 6 additions & 3 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,11 @@ services:
- SMTP_PASS=${SMTP_PASS}
- DB_USER=${DB_USER:-opex}
- DB_PASS=${DB_PASS:-hiopex}
- DB_BACKUP_USER=${DB_USER:-opex_backup}
- DB_BACKUP_PASS=${DB_PASS:-hiopex}
- DB_BACKUP_USER=${DB_BACKUP_USER:-opex_backup}
- DB_BACKUP_PASS=${DB_BACKUP_PASS:-hiopex}
- KEYCLOAK_ADMIN_USERNAME=${KEYCLOAK_ADMIN_USERNAME:-opex-admin}
- KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-hiopex}
- VANDAR_API_KEY=$VANDAR_API_KEY
healthcheck:
retries: 5
cap_add:
Expand Down Expand Up @@ -450,7 +453,7 @@ services:
- JAVA_OPTS=-Xmx256m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
- KAFKA_IP_PORT=kafka-1:29092,kafka-2:29092,kafka-3:29092
- CONSUL_HOST=consul
- KEYCLOAK_CLIENT_SECRET=${ADMIN_KEYCLOAK_CLIENT_SECRET} # transfer to vault
- VAULT_HOST=vault
volumes:
- $DATA/admin-data:/admin
depends_on:
Expand Down
26 changes: 17 additions & 9 deletions resources/vault/workflow-vault.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,11 @@ vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_na
vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
vault write auth/app-id/map/app-id/opex-chain-scan-gateway value=backend-policy display_name=opex-chain-scan-gateway
echo 'enable user-id'
vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway
vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,opex-chain-scan-gateway
echo 'check login appid'
vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
Expand All @@ -67,19 +70,24 @@ vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-chain-scan-gateway user_id=${BACKEND_USER}

#
## Add secret values
echo 'put key/value'
vault kv put secret/opex smtppass=${SMTP_PASS}
vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS}

vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD} keycloak_client_secret=replace_with_actual_secret
vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USERNAME} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
vault kv put secret/opex-admin keycloak_client_secret=${KEYCLOAK_CLIENT_SECRET}
vault kv put secret/opex-chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}

# Keep alive
while pidof vault >/dev/null; do
Expand Down
6 changes: 3 additions & 3 deletions user-management/keycloak-gateway/src/main/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ keycloak:
server:
contextPath: /auth
adminUser:
username: opex-admin
password: hiopex
username: ${admin_username:opex-admin}
password: ${admin_password:hiopex}
realmImportFile: /opex-realm.json
migration:
action: import
Expand All @@ -67,4 +67,4 @@ keycloak:
admin_fine_grained_authz: enabled
token_exchange: enabled
hashicorp:
url: ${VAULT_URL}
url: ${VAULT_URL}