Upgrade secrets-config snap options wrapper about edgex-snap-hooks HOT 1 CLOSED

It is no longer possible to implement the ability to create users by their public key (via apps.secrets-config.proxy.admin.public-key option). The new secrets-config CLI only allows generation of users with system-generated passwords.

apps.secrets-config.proxy.tls.snis is no longer supported.

For the remaining apps.secrets-config.proxy.tls.cert and apps.secrets-config.proxy.tls.key, a simpler solution is to directly replace the nginx files. This can be done either:

• manually followed by reloading nginx
• via a Snap content interface. In this case, if the provider snap is connected after nginx startup, an nginx reload is required. If the provider snap is connected beforehands, nginx would start with the replaced key and certificate.

Overview of the nginx files:

sudo tree /var/snap/edgexfoundry/current/nginx/
/var/snap/edgexfoundry/current/nginx/
├── conf.d
│   ├── edgex-custom-rewrites.inc
│   └── edgex-default.conf
├── nginx.conf
├── nginx.crt
└── nginx.key

1 directory, 5 files

The path to private key and certificate are set in /var/snap/edgexfoundry/current/nginx/conf.d/edgex-default.conf:

...
server {
    listen 127.0.0.1:8000;  # Snap listen insecure on localhost only
    listen 8443 ssl;

    ssl_certificate "/var/snap/edgexfoundry/current/nginx/nginx.crt";
    ssl_certificate_key "/var/snap/edgexfoundry/current/nginx/nginx.key";
    ssl_session_tickets off;

I will close this issue in favor of removing the secrets-config wrappers. The triggering of CLI commands via snap options is a complicated solution involving a conditional configuration logic because these are applied after services start rather than before like all config options. Moreover, it involves state management because we don't want to replace the files every time a snap option is changed. We do the state management right now with the help of a semaphore file.

from edgex-snap-hooks.