Hi all, My aim is to register configure vault, secrete store of edgex with consul on UI. To achieve it, I am doing the following steps. ( While doing I am facing errors, if anything I need to change / any suggestions , I request you all to inform me)
STEP 1: Running redis server using command:
redis-server redis.conf
STEP 2: Running the consul server:
The below are the configuration files that I have included under consul,
rakshitha@xxx:~/edgex_security/consul/config$ ls
00-consul.json 01-redis.json 02-kong-db.json 02-kong.json 02-kong-migrations.json 02-security-secretstore-setup.json
The below is the configuration file of consul,
rakshitha@xxx:~/edgex_security/consul/config$ vi 00-consul.json
{
“enable_local_script_checks”: true,
"disable_update_check": true,
"acl" : {
"enabled" : true,
"default_policy" : "deny",
"enable_token_persistence" : true
}
The below is the command I use to run the consul server:
rakshitha@xxx:~/edgex_security/consul$ consul agent -node=system1 -ui -bootstrap -server -client 10.168.2.71 -advertise 10.168.2.71 -data-dir ./ -config-dir config/
The below is the output I get when the server is started to run,
==> Starting Consul agent…
Version: ‘1.10.0-dev’
Node ID: ‘55b67862-f698-c592-5b0f-72b7652602f0’
Node name: ‘system1’
Datacenter: ‘dc1’ (Segment: ‘’)
Server: true (Bootstrap: true)
Client Addr: [10.168.2.71] (HTTP: 8500, HTTPS: -1, xDS: -1, DNS: 8600)
Cluster Addr: 10.168.2.71 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false
==> Log data will now stream in as it occurs:
2021-08-19T11:38:53.446+0530 [WARN] agent: bootstrap = true: do not enable unless necessary
2021-08-19T11:38:53.456+0530 [WARN] agent.auto_config: bootstrap = true: do not enable unless necessary
2021-08-19T11:38:53.538+0530 [INFO] agent.server.raft: initial configuration: index=1 servers="[{Suffrage:Voter ID:55b67862-f698-c592-5b0f-72b7652602f0 Address:10.168.2.71:8300}]"
2021-08-19T11:38:53.538+0530 [INFO] agent.server.raft: entering follower state: follower=“Node at 10.168.2.71:8300 [Follower]” leader=
2021-08-19T11:38:53.539+0530 [INFO] agent.server.serf.wan: serf: EventMemberJoin: system1.dc1 10.168.2.71
2021-08-19T11:38:53.539+0530 [WARN] agent.server.serf.wan: serf: Failed to re-join any previously known node
2021-08-19T11:38:53.541+0530 [INFO] agent.server.serf.lan: serf: EventMemberJoin: system1 10.168.2.71
2021-08-19T11:38:53.541+0530 [INFO] agent.router: Initializing LAN area manager
2021-08-19T11:38:53.543+0530 [INFO] agent: Started DNS server: address=10.168.2.71:8600 network=udp
2021-08-19T11:38:53.543+0530 [WARN] agent.server.serf.lan: serf: Failed to re-join any previously known node
2021-08-19T11:38:53.543+0530 [INFO] agent.server: Adding LAN server: server=“system1 (Addr: tcp/10.168.2.71:8300) (DC: dc1)”
2021-08-19T11:38:53.544+0530 [INFO] agent.server: Handled event for server in area: event=member-join server=system1.dc1 area=wan
2021-08-19T11:38:53.545+0530 [INFO] agent: Started DNS server: address=10.168.2.71:8600 network=tcp
2021-08-19T11:38:53.546+0530 [INFO] agent: Starting server: address=10.168.2.71:8500 network=tcp protocol=http
2021-08-19T11:38:53.546+0530 [WARN] agent: DEPRECATED Backwards compatibility with pre-1.9 metrics enabled. These metrics will be removed in a future version of Consul. Set telemetry { disable_compat_1.9 = true } to disable them.
2021-08-19T11:38:53.547+0530 [INFO] agent: started state syncer
2021-08-19T11:38:53.547+0530 [INFO] agent: Consul agent running!
2021-08-19T11:38:53.799+0530 [WARN] agent: Check is now critical: check=service:kong-migrations
2021-08-19T11:38:54.106+0530 [WARN] agent: Check is now critical: check=service:kong-db
2021-08-19T11:38:54.454+0530 [WARN] agent: Check is now critical: check=service:kong
2021-08-19T11:38:54.800+0530 [WARN] agent: Check is now critical: check=service:kong-migrations
2021-08-19T11:38:55.109+0530 [WARN] agent: Check is now critical: check=service:kong-db
2021-08-19T11:38:55.455+0530 [WARN] agent: Check is now critical: check=service:kong
2021-08-19T11:38:55.803+0530 [WARN] agent: Check is now critical: check=service:kong-migrations
2021-08-19T11:38:56.112+0530 [WARN] agent: Check is now critical: check=service:kong-db
2021-08-19T11:38:56.457+0530 [WARN] agent: Check is now critical: check=service:kong
2021-08-19T11:38:56.806+0530 [WARN] agent: Check is now critical: check=service:kong-migrations
2021-08-19T11:38:57.115+0530 [WARN] agent: Check is now critical: check=service:kong-db
2021-08-19T11:38:57.459+0530 [WARN] agent: Check is now critical: check=service:kong
2021-08-19T11:38:57.811+0530 [WARN] agent: Check is now critical: check=service:kong-migrations
2021-08-19T11:38:58.118+0530 [WARN] agent: Check is now critical: check=service:kong-db
2021-08-19T11:38:58.460+0530 [WARN] agent: Check is now critical: check=service:kong
2021-08-19T11:38:58.815+0530 [WARN] agent: Check is now critical: check=servic
STEP 3: Did generate, cache and import as per the READme provided in security-secret-setup. and got the certificates.
STEP 4: Running the Vault server:
The below are the configuration files that have been included under vault,
rakshitha@xxx:~/edgex_security/edgex-go-1.3.0/cmd/security-secrets-setup/res$ ls
configuration.toml local-tls.hcl pkisetup-kong.json pkisetup-vault.json
The below are the changes made to the configuration file of vault,
rakshitha@xxx:~/edgex_security/edgex-go-1.3.0/cmd/security-secrets-setup/res$ vi local-tls.hcl
listener “tcp” {
address = “10.168.2.71:8200”
tls_disable = “0”
cluster_address = “10.168.2.71:8201”
tls_min_version = “tls12”
tls_client_ca_file ="/tmp/edgex/secrets/ca/ca.pem"
tls_cert_file ="/tmp/edgex/secrets/edgex-vault/ca.pem"
tls_key_file = “/tmp/edgex/secrets/edgex-vault/server.key”
}
backend “consul” {
path = “vault/”
address = “10.168.2.71:8500”
scheme = “http”
redirect_addr = “https://10.168.2.71:8200”
cluster_addr = “https://10.168.2.71:8201”
}
default_lease_ttl = “168h”
max_lease_ttl = “720h”
NOTE:
Got tls_client_ca_file, tls_cert_file and tls_key_file from the below metioned directories,
-
tls_client_ca_file ="/tmp/edgex/secrets/ca/ca.pem"
rakshitha@xxx:~$ ls /tmp/edgex/secrets/ca/
ca.pem .security-secrets-setup.complete -
tls_cert_file ="/tmp/edgex/secrets/edgex-vault/ca.pem"
rakshitha@xxx:/tmp/edgex/secrets/edgex-vault$ ls
ca.pem server.crt server.key -
tls_key_file = “/tmp/edgex/secrets/edgex-vault/server.key”
rakshitha@xxx:/tmp/edgex/secrets/edgex-vault$ cd
ca.pem server.crt server.key
The below is the command I use to run the vault server:
rakshitha@xxxx:~/edgex_security/vault$ vault server -config=vault.hcl
The below is the output I get when the server is started to run,
WARNING! Unable to read storage migration status.
2021-08-19T10:09:38.608+0530 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=localhost,127.0.0.0/8,::1
2021-08-19T10:09:38.609+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:40.613+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:42.616+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:44.619+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:46.622+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:48.625+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:50.628+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:52.631+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:54.634+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:56.637+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
2021-08-19T10:09:58.640+0530 [WARN] storage migration check error: error=“Unexpected response code: 403”
Kindly provide me the solution for the same,
Thanks in advance.