The secret store is a central repository in which secrets, such as tokens, passwords and certificates, can be stored.
Edge Xpert uses HashiCorp Vault to allow secure access to the secret store.
The Secret Store deployment consists of the following:
|Vault||The Vault service|
|SecretStore Setup||A service to unseal and initialize vault.
During initialization, client tokens are created for each Edge Xpert microservice. Any microservice started under secure mode can use their token to access Vault
The Vault service is started when either the
--secret or the
--api-gateway option is used with the
edgexpert up command.
To access the Vault user interface, complete the following steps:
Open a browser
Enter the following URL in the Address Bar of the browser:
The token to use when signing into Vault can be found in /tmp/edgex/secrets/security-secretstore-setup/secrets-token.json.
For further information on Vault, refer to the Secret Store topic of the EdgeX Foundry documentation.
Add a Port Mapping to Allow Access to Vault
In Edge Xpert, the port for accessing Vault is hidden for security reasons. To access Vault and add the certificate and key as secrets, you must update the /etc/edgexpert/docker-compose-security.yaml file.
To allow access to Vault, complete the following steps:
Edit the docker-compose-security.yaml file, as described in Using a Local Docker Compose File
Add the port mapping for vault to the vault section of the docker-compose-security.yaml file, as follows:
vault: hostname: edgex-vault ports: - "8200:8200/tcp" environment: VAULT_UI: "true"
Save the file
Start the Edge Xpert services from the directory containing your local docker-compose-security.yaml file