NOISSUE - Vault integration as an addon #1266
Conversation
There was a problem hiding this comment.
@tritao Thanks for the contribution. @mainflux/maintainers will review and comment during this week. Did you test integration with the Provision service?
@tritao Provision service. Doc doest mention Vault, but you can see it in Certs service |
|
I didn't use the Provision service yet, however I did test Vault with the Certs service and I can successfully issue new certificates. There are some improvements to Certs service around Vault service that I want to send as another PR, however I was waiting until this one was merged, because it depends on the new Vault environment variables in Should I send Certs PR now or wait for this one? |
|
@tritao I think that this PR will be merged, but it's better to wait for the proper review so that you don't have to redo things. |
|
Updated with all feedback. Now using the official Vault image, unfortunately I could not get rid of the custom Docker image. I spent some time trying but there is a bug with docker-compose handling of relative paths when being called with multiple compose files, like: It will assume paths are relative to the root file so it breaks relative path behavior when using volumes to pass files (I tested and absolute paths worked OK). |
than you for your contribution |
The other addons have the same bug. Docker-compose will always compute relative paths relative to the the directory of the first compose file that is passed. So if you launch like this:
But if you launch like this:
Then You should be able to easily confirm this. Given this docker-compose behavior (bug?), I think a solution should be found, because right now, depending on how user launches the addons in the system, it leads to broken platform (and hard to debug problem). Potential solutions:
I think solution 1. is easiest, and good idea to have Mainflux containers for all services with all necessary files to make them self contained when deploying. If you want to me change this as you asked to still use relative paths, I will for the sake of merging. But it's a broken design given this docker-compose behavior. |
If the only reason for the custom Docker image is multiple compose files support - I'd favor the official image over the multiple compose file support. Just mention it somewhere in the docs, and that's it. |
I think an even more important reason is simplification of production deployments. Docker containers should be, if possible self-contained, so that an user can push them to an organization Docker registry, and from a production machine, either using an orchestrator like Nomad or Kubernetes, or just using docker-compose, pull them from the registry and If the containers are not self-contained, then a separate system for uploading (and rollback, if necessary) the necessary support files will be necessary. In this specific case, the shell file They can still be overridden from a If you think that is a good idea, I can add support for building the containers and pushing to registry via the Makefile system, and change other containers to work like that. If not, then I will revert this back to just using a relative file like requested. Let me know what I should do. |
|
@tritao avoid custom images. We will not be ones maintaining Vault image. Also - it is extremely beneficial to have configurable deployments, so all config files must be outside the image and mapped via Sometimes mapping config files is enough, and yes - if special scripts need to be executed, than |
@drasko Just to make it clear, there is not any custom Vault image, the PR was updated to be based from the official image based upon the initial feedback, it uses It just creates another Docker image based off the official one with the necessary files for it to work. The shell script ( Anyway, I've updated the PR to work like requested. |
dborovcanin
changed the title
Integrates Vault PKI service as a service addon. Also adds some helper scripts to help setup the CA in Vault, as well as some docs to explain how to use them. Originally based from https://github.com/mteodor/vault. Signed-off-by: Joao Matos <joao@tritao.eu>
|
Updated. |
|
Merged! Thanks @tritao for this great contribution! |
What does this do?
Integrates Vault PKI service as a service addon.
Also adds some helper scripts to help setup the CA in Vault, as well as
some docs to explain how to use them.
Originally based from https://github.com/mteodor/vault.
Signed-off-by: Joao Matos joao@tritao.eu
Which issue(s) does this PR fix/relate to?
Could be related to https://github.com/mainflux/mainflux/issues/935.
Did you document any new/modified functionality?
Yes.