EdgeX, Vault, and using HTTPS

[dmocek]

Hi all,

I am using Edgex Foundry Jakarta and I am trying to enable TLS on edgex-vault. I added certificates for vault and enabled TLS in config. What is the best way to configure other containers to use https and certificates to connect to vault?

[bnevis-i]

There are several settings you need to change. If you look at https://github.com/edgexfoundry/edgex-go/blob/jakarta/cmd/core-data/res/configuration.toml#L71, for example:

[SecretStore]
Type = "vault"
Protocol = "http"
Host = "localhost"
Port = 8200
Path = "core-data/"
TokenFile = "/tmp/edgex/secrets/core-data/secrets-token.json"
RootCaCertPath = ""
ServerName = ""

you need to override, at a minimum, Protocol and RootCaCertPath, possibly Host, Port, and ServerName.

So, for example, if you had your Vault TLS instance running at https://corpvault.mycompany.com:8200 and it had a TLS certificate in it with CN=enterprisevault.mycompany.com (usually, we want the TLS cert to have the actual hostname in it, but if for some reason it doesn't, we have an option), you would use

[SecretStore]
Type = "vault"
Protocol = "https"
Host = "corpvault.mycompany.com"
Port = 8200
Path = "core-data/"
TokenFile = "/tmp/edgex/secrets/core-data/secrets-token.json"
RootCaCertPath = "/path/to/injected/ca.crt"
ServerName = "enterprisevault.mycompany.com"

You need to inject "/path/to/injected/ca.crt" somehow into the container either via docker host binding, or via docker volume mount. I think if the CA is signed by a well-known public CA, it might not be necessary, but I don't want to spend money to find out. ServerName makes overrides the "corpvault.mycompany.com" expected name match on the TLS certificate since the TLS certificate has a different name in it, for example purposes.

You can make these settings using environment variable overrides:

SECRETSTORE_PROTOCOL=https
SECRETSTORE_HOST=corpvault.mycompany.com
SECRETSTORE_CACERTPATH=/path/to/injected/ca.crt
SERVERNAME=enterprisevault.mycompany.com