feat!: Remove consul dependency

close #4985

Signed-off-by: Ginny Guan <[email protected]>

.gitignore

@@ -31,9 +31,6 @@ cmd/security-bootstrapper/security-bootstrapper
 cmd/security-proxy-auth/security-proxy-auth
 cmd/security-spiffe-token-provider/security-spiffe-token-provider
 
-internal/security/bootstrapper/command/setupacl/test1/bootstrap_token.json
-internal/security/bootstrapper/command/setupacl/test2/bootstrap_token.json
-
 docs/_build/
 
 # log dirs

cmd/core-common-config-bootstrapper/res/configuration.yaml

@@ -13,8 +13,6 @@ all-services:
         # Common Security Service Metrics
         SecuritySecretsRequested: false
         SecuritySecretsStored: false
-        SecurityConsulTokensRequested: false
-        SecurityConsulTokenDuration: false
         SecurityRuntimeSecretTokenDuration: false
         SecurityGetSecretDuration: false
 #     Tags: # Contains the service level tags to be attached to all the service's metrics

cmd/security-bootstrapper/Dockerfile

@@ -67,9 +67,6 @@ COPY --from=builder /edgex-go/cmd/security-bootstrapper/res-bootstrap-postgres/c
 # needed for bootstrapping mosquitto
 COPY --from=builder /edgex-go/cmd/security-bootstrapper/res-bootstrap-mosquitto/configuration.yaml ${BOOTSTRAP_MOSQUITTO_DIR}/res/
 
-# copy Consul ACL related configs
-COPY --from=builder /edgex-go/cmd/security-bootstrapper/consul-acl/ ${SECURITY_INIT_STAGING}/consul-bootstrapper/
-
 # setup entry point script
 COPY --from=builder /edgex-go/cmd/security-bootstrapper/entrypoint.sh /
 RUN chmod +x /entrypoint.sh

cmd/security-bootstrapper/res/configuration.yaml

@@ -13,46 +13,6 @@ StageGate:
     Host: edgex-postgres
     Port: 5432
     ReadyPort: 54323
-  Registry:  # this is intended to be the same as Registry.Host/.Port for other services
-    Host: edgex-core-keeper
-    Port: 59890
-    ReadyPort: 54324
-    ACL:
-      Protocol: http
-      # this is the filepath for the generated Consul management token from ACL bootstrap
-      BootstrapTokenPath: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json
-      # this is the filepath for the Vault token created from secretstore-setup
-      SecretsAdminTokenPath: /tmp/edgex/secrets/edgex-consul/admin/token.json
-      # this is the filepath for the sentinel file to indicate the registry ACL is set up successfully
-      SentinelFilePath: /edgex-init/consul-bootstrapper/consul_acl_done
-      # this is the filepath for the created Consul management token
-      ManagementTokenPath: /tmp/edgex/secrets/consul-acl-token/mgmt_token.json
-
-      # this section contains the list of registry roles for EdgeX services
-      # the service keys are the role names
-      Roles:
-        app-rules-engine:
-          Description: role for application service of rules engine
-        core-data:
-          Description: role for coredata
-        core-metadata:
-          Description: role for metadata
-        core-command:
-          Description: role for command
-        core-common-config-bootstrapper:
-          Description: role for common config
-        support-notifications:
-          Description: role for notifications
-        support-cron-scheduler:
-          Description: role for cron-scheduler
-        device-virtual:
-          Description: role for device virtual service
-        device-rest:
-          Description: role for device rest service
-        security-proxy-auth:
-          Description: role for NGINX auth proxy backend service
-        security-spiffe-token-provider:
-          Description: role for device security-spiffe-token-provider service
   WaitFor:
     Timeout: 10s
     RetryInterval: 1s

cmd/security-proxy-setup/entrypoint.sh

@@ -294,17 +294,6 @@ server {
       auth_request_set   \$auth_status \$upstream_status;
     }
 
-    # Note: Consul implements its own authentication mechanism (only allow API, /v1, through)
-    set \$upstream_core_consul edgex-core-consul;
-    location /consul/v1 {
-`cat "${corssnippet}"`
-      rewrite            /consul/(.*) /\$1 break;
-      resolver           127.0.0.11 valid=30s;
-      proxy_pass         http://\$upstream_core_consul:8500;
-      proxy_redirect     off;
-      proxy_set_header   Host \$host;
-    }
-
     # Note: OpenBao login API does not require authentication at the gateway for obvious reasons
     set \$upstream_secret_store edgex-secret-store;
     location /vault/v1/auth/userpass/login {

cmd/security-secretstore-setup/res/configuration.yaml

@@ -37,7 +37,6 @@ SecretStore:
   PasswordProvider: ""
   PasswordProviderArgs: []
   RevokeRootTokens: true
-  ConsulSecretsAdminTokenPath: /tmp/edgex/secrets/edgex-consul/admin/token.json
 Database:
   Host: "localhost"
   Port: 5432

go.mod

@@ -5,10 +5,10 @@ go 1.23
 require (
 	github.com/eclipse/paho.mqtt.golang v1.5.0
 	github.com/edgexfoundry/go-mod-bootstrap/v4 v4.0.0-dev.1
-	github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.1
+	github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.2
 	github.com/edgexfoundry/go-mod-core-contracts/v4 v4.0.0-dev.2
-	github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.2
-	github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.1
+	github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.3
+	github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.2
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/go-co-op/gocron/v2 v2.12.1
 	github.com/gomodule/redigo v1.9.2
@@ -22,7 +22,6 @@ require (
 	github.com/spiffe/go-spiffe/v2 v2.4.0
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.28.0
-	gopkg.in/eapache/queue.v1 v1.1.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.sum

@@ -86,16 +86,16 @@ github.com/eclipse/paho.mqtt.golang v1.5.0 h1:EH+bUVJNgttidWFkLLVKaQPGmkTUfQQqjO
 github.com/eclipse/paho.mqtt.golang v1.5.0/go.mod h1:du/2qNQVqJf/Sqs4MEL77kR8QTqANF7XU7Fk0aOTAgk=
 github.com/edgexfoundry/go-mod-bootstrap/v4 v4.0.0-dev.1 h1:9uiZON4CDOVAZNNawtncvfX4Abgz31r8QcOVEWvlUD4=
 github.com/edgexfoundry/go-mod-bootstrap/v4 v4.0.0-dev.1/go.mod h1:OJdeMt2HyzMZZyKy89ICwGu4Ui7ddWd+dQXGMJTAmYk=
-github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.1 h1:eWcDmVFwkFSmlrD745lZQ6xs+ZKJ9u6TqNUnXuWJ5AY=
-github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.1/go.mod h1:AHvE7RQJabfMVHXCDDDKhg3hzJNQtUqbyB9yJxv2Qbk=
+github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.2 h1:+2vvWRPrkW22si9RhNjWzrNZso5CVgiHWVOieht3p/Y=
+github.com/edgexfoundry/go-mod-configuration/v4 v4.0.0-dev.2/go.mod h1:AHvE7RQJabfMVHXCDDDKhg3hzJNQtUqbyB9yJxv2Qbk=
 github.com/edgexfoundry/go-mod-core-contracts/v4 v4.0.0-dev.2 h1:BEJKSvyW+dMTW/yzEKWjs0tGUZnMkFPYX4eypyoG0IY=
 github.com/edgexfoundry/go-mod-core-contracts/v4 v4.0.0-dev.2/go.mod h1:I3EG+Tg/gcVSUJ+IJDuvVKFISnRu8oQtMXqltE1rzT8=
-github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.2 h1:2zRS7LTEoucQmAkZ33b/Erw13ne1LoxexPhhHGa065Q=
-github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.2/go.mod h1:eAmCHilZWXL0skB9Frnm2kZTeY81sF6xKOmePoWKTNE=
+github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.3 h1:FRpec371q4CnRBol0E4utB0BHZLVu146JtCAhau9ujQ=
+github.com/edgexfoundry/go-mod-messaging/v4 v4.0.0-dev.3/go.mod h1:eAmCHilZWXL0skB9Frnm2kZTeY81sF6xKOmePoWKTNE=
 github.com/edgexfoundry/go-mod-registry/v4 v4.0.0-dev.1 h1:/CrP00ozrLjMR0R9OTSJlQi5zJ7/9IKnfG0zS2ZN+8U=
 github.com/edgexfoundry/go-mod-registry/v4 v4.0.0-dev.1/go.mod h1:YgkZ1ThNEEXPzC2iu3/53QcrDQ3tlQHlflnjb3Jseo8=
-github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.1 h1:lw9GNOujQhqnPMJko6n9BGU9Pu3P9RPUQYCT5GpoSw0=
-github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.1/go.mod h1:p6RbhVfJ/SNBLYlz8P/v6kOJmj5Zz1In5/T3TSXylO4=
+github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.2 h1:7/LBHTVLEefUgcUwSEa4ThRLgCwM9BCTjagkbAVfAXE=
+github.com/edgexfoundry/go-mod-secrets/v4 v4.0.0-dev.2/go.mod h1:U5jvaSj2QQSqosfNPEPuTvSS1vgTkAAeLmjKtfcvxJ0=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -1010,8 +1010,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/eapache/queue.v1 v1.1.0 h1:EldqoJEGtXYiVCMRo2C9mePO2UUGnYn2+qLmlQSqPdc=
-gopkg.in/eapache/queue.v1 v1.1.0/go.mod h1:wNtmx1/O7kZSR9zNT1TTOJ7GLpm3Vn7srzlfylFbQwU=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=

internal/core/common_config/main.go

@@ -205,7 +205,7 @@ func pushConfiguration(lc logger.LoggingClient, yamlFile string, configClient co
 
 	for _, k := range keys {
 		v := kv[k]
-		// Push key/value into Consul if it is not empty
+		// Push key/value into Configuration Provider if it is not empty
 		if v != nil {
 			err = configClient.PutConfigurationValue(k, []byte(fmt.Sprint(v)))
 		}

internal/security/bootstrapper/command/cmd_dispatcher.go

@@ -24,7 +24,6 @@ import (
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/command/genpassword"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/command/gethttpstatus"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/command/listen"
-	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/command/setupacl"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/command/waitfor"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/config"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/interfaces"
@@ -44,8 +43,8 @@ func NewCommand(
 	var err error
 
 	if len(args) < 1 {
-		return nil, fmt.Errorf("subcommand required (%s, %s, %s, %s, %s, %s)", gate.CommandName, listen.CommandName,
-			gethttpstatus.CommandName, genpassword.CommandName, waitfor.CommandName, setupacl.CommandName)
+		return nil, fmt.Errorf("subcommand required (%s, %s, %s, %s, %s)", gate.CommandName, listen.CommandName,
+			gethttpstatus.CommandName, genpassword.CommandName, waitfor.CommandName)
 	}
 
 	commandName := args[0]
@@ -61,8 +60,6 @@ func NewCommand(
 		command, err = genpassword.NewCommand(ctx, wg, lc, configuration, args[1:])
 	case waitfor.CommandName:
 		command, err = waitfor.NewCommand(ctx, wg, lc, configuration, args[1:])
-	case setupacl.CommandName:
-		command, err = setupacl.NewCommand(ctx, wg, lc, configuration, args[1:])
 	default:
 		command = nil
 		err = fmt.Errorf("unsupported command %s", commandName)

internal/security/bootstrapper/command/cmd_dispatcher_test.go

@@ -52,7 +52,6 @@ func TestNewCommand(t *testing.T) {
 		{"Good: genPassword command", []string{"genPassword"}, "genPassword", false},
 		{"Good: getHttpStatus command", []string{"getHttpStatus", "--url=http://localhost:55555"}, "getHttpStatus", false},
 		{"Good: waitFor command", []string{"waitFor", "--uri=http://localhost:55555"}, "waitFor", false},
-		{"Good: setupRegistryACL command", []string{"setupRegistryACL"}, "setupRegistryACL", false},
 		{"Bad: unknown command", []string{"unknown"}, "", true},
 		{"Bad: empty command", []string{}, "", true},
 		{"Bad: listenTcp command missing required --port", []string{"listenTcp"}, "", true},

internal/security/bootstrapper/command/flags_common.go

@@ -117,7 +117,6 @@ func HelpCallback() {
 			"    getHttpStatus     Do an HTTP GET call to get the status code\n"+
 			"    help              Show available commands (this text)\n"+
 			"    listenTcp         Start up a TCP listener\n"+
-			"    setupRegistryACL  Set up registry's ACL and configure the access\n"+
 			"    waitFor           Wait for the other services with specified URI(s) to connect:\n"+
 			"                      the URI(s) can be communication protocols like tcp/tcp4/tcp6/http/https or files\n",
 		os.Args[0])

internal/security/bootstrapper/command/gate/command.go

@@ -33,8 +33,6 @@ import (
 const (
 	// the command name for gating the stages of bootstrapping on other services for security
 	CommandName string = "gate"
-
-	consulRegistryHostName = "edgex-core-consul"
 )
 
 type cmd struct {
@@ -86,18 +84,6 @@ func (c *cmd) Execute() (statusCode int, err error) {
 
 	// wait on for others to be done: each of tcp dialers is a blocking call
 	c.loggingClient.Debug("Waiting on dependent semaphores required to raise the ready-to-run semaphore ...")
-	// only wait when stage gate registry host is edgex-core-consul
-	if c.config.StageGate.Registry.Host == consulRegistryHostName {
-		if err := tcp.DialTcp(
-			c.config.StageGate.Registry.Host,
-			c.config.StageGate.Registry.ReadyPort,
-			c.loggingClient); err != nil {
-			retErr := fmt.Errorf("found error while waiting for readiness of Registry at %s:%d, err: %v",
-				c.config.StageGate.Registry.Host, c.config.StageGate.Registry.ReadyPort, err)
-			return interfaces.StatusCodeExitWithError, retErr
-		}
-		c.loggingClient.Info("Registry is ready")
-	}
 
 	if err := tcp.DialTcp(
 		c.config.StageGate.Database.Host,

internal/security/bootstrapper/command/gate/command_test.go

@@ -131,11 +131,6 @@ func setupMockServiceConfigs(testConf *testConfig) *config.ConfigurationStruct {
 			Host:      testConf.testHost,
 			StartPort: testConf.bootstrapperStartPort,
 		},
-		Registry: config.RegistryInfo{
-			Host:      testConf.testHost,
-			Port:      12001,
-			ReadyPort: testConf.registryReadyPort,
-		},
 		Database: config.DatabaseInfo{
 			Host:      testConf.testHost,
 			Port:      12002,