diff --git a/compose-builder/Makefile b/compose-builder/Makefile index 2ec31ac..9430cbf 100644 --- a/compose-builder/Makefile +++ b/compose-builder/Makefile @@ -1,6 +1,6 @@ # /******************************************************************************* # * Copyright 2023 Intel -# * Copyright 2024 IOTech Ltd +# * Copyright 2024-2025 IOTech Ltd # * # * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except # * in compliance with the License. You may obtain a copy of the License at @@ -802,7 +802,7 @@ ifeq (no-secty, $(filter no-secty,$(ARGS))) COMPOSE_FILES:=$(COMPOSE_FILES) -f add-mqtt-messagebus.yml -f ${BROKER_YAML} endif else - COMPOSE_FILES:=$(COMPOSE_FILES) -f add-security.yml -f add-postgres.yml -f add-secure-postgres.yml + COMPOSE_FILES:=$(COMPOSE_FILES) -f add-security.yml -f add-secure-postgres.yml ifeq ($(BUS),) # if BUS not set, then we are using secure mqtt messagebus by default IS_MQTT_BUS:=1 @@ -845,7 +845,6 @@ ifeq (taf-secty, $(filter taf-secty,$(ARGS))) -f add-mqtt-messagebus.yml \ -f add-secure-mqtt-messagebus.yml \ -f add-secure-mqtt-broker.yml \ - -f add-postgres.yml \ -f add-secure-postgres.yml asc_http_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" ./gen_secure_compose_ext.sh app-http-export \ @@ -920,7 +919,6 @@ else -f ${BROKER_YAML} \ -f ${TAF_BROKER_YAML} \ -f add-delayed-start-services.yml \ - -f add-postgres.yml \ -f add-secure-postgres.yml asc_mqtt_export_ext:= $(shell ZERO_TRUST="$(MAKE_ZERO_TRUST)" GEN_EXT_DIR="$(GEN_EXT_DIR)" IS_MQTT_BUS="0" ./gen_secure_compose_ext.sh app-mqtt-export \ @@ -994,7 +992,7 @@ define COMPOSE_DOWN -f add-security-proxy.yml \ -f add-delayed-start-services.yml \ -f add-postgres.yml \ - -f add-secure-postgres.yml + -f add-secure-postgres.yml \ down $1 endef diff --git a/compose-builder/add-secure-postgres.yml b/compose-builder/add-secure-postgres.yml index 2109354..84bd482 100644 --- a/compose-builder/add-secure-postgres.yml +++ b/compose-builder/add-secure-postgres.yml @@ -1,5 +1,5 @@ # /******************************************************************************* -# * Copyright 2024 IOTech Ltd +# * Copyright 2024-2025 IOTech Ltd # * # * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except # * in compliance with the License. You may obtain a copy of the License at @@ -19,18 +19,31 @@ volumes: services: database: entrypoint: ["/edgex-init/postgres_wait_install.sh"] + image: postgres:${POSTGRES_VERSION} + ports: + - "127.0.0.1:5432:5432" + container_name: edgex-postgres + hostname: edgex-postgres + read_only: true + restart: always + networks: + - edgex-network env_file: - common-security.env - common-sec-stage-gate.env environment: DATABASECONFIG_PATH: /tmp/postgres-init-scripts DATABASECONFIG_NAME: create-users.sh + POSTGRES_DB: edgex_db + security_opt: + - no-new-privileges:true tmpfs: - /run - /tmp volumes: + - /etc/localtime:/etc/localtime:ro - edgex-init:/edgex-init:ro - - postgres-data:/var/lib/postgresql/data + - db-data:/var/lib/postgresql/data - /tmp/edgex/secrets/security-bootstrapper-postgres:/tmp/edgex/secrets/security-bootstrapper-postgres:ro,z depends_on: - security-bootstrapper diff --git a/docker-compose-arm64.yml b/docker-compose-arm64.yml index a95fc62..6fe0b3d 100644 --- a/docker-compose-arm64.yml +++ b/docker-compose-arm64.yml @@ -489,7 +489,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -529,15 +528,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -889,7 +888,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -913,7 +912,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1372,6 +1371,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1390,8 +1391,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/docker-compose-with-app-sample-arm64.yml b/docker-compose-with-app-sample-arm64.yml index 3f9a8d1..bcb3e5d 100644 --- a/docker-compose-with-app-sample-arm64.yml +++ b/docker-compose-with-app-sample-arm64.yml @@ -566,7 +566,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -606,15 +605,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -966,7 +965,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -990,7 +989,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1449,6 +1448,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1467,8 +1468,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/docker-compose-with-app-sample.yml b/docker-compose-with-app-sample.yml index 91efd14..9d1c8db 100644 --- a/docker-compose-with-app-sample.yml +++ b/docker-compose-with-app-sample.yml @@ -566,7 +566,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -606,15 +605,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -966,7 +965,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -990,7 +989,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1449,6 +1448,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1467,8 +1468,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/docker-compose-zero-trust-arm64.yml b/docker-compose-zero-trust-arm64.yml index bc09cb5..d6724ed 100644 --- a/docker-compose-zero-trust-arm64.yml +++ b/docker-compose-zero-trust-arm64.yml @@ -477,7 +477,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -517,15 +516,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -809,7 +808,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -833,7 +832,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1210,6 +1209,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1224,8 +1225,6 @@ volumes: name: edgex_kuiper-plugins kuiper-sources: name: edgex_kuiper-sources - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/docker-compose-zero-trust.yml b/docker-compose-zero-trust.yml index 8c29c7e..9275799 100644 --- a/docker-compose-zero-trust.yml +++ b/docker-compose-zero-trust.yml @@ -477,7 +477,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -517,15 +516,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -809,7 +808,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -833,7 +832,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1210,6 +1209,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1224,8 +1225,6 @@ volumes: name: edgex_kuiper-plugins kuiper-sources: name: edgex_kuiper-sources - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/docker-compose.yml b/docker-compose.yml index 85393ce..97f7837 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -489,7 +489,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -529,15 +528,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -889,7 +888,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -913,7 +912,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1372,6 +1371,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1390,8 +1391,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/taf/docker-compose-taf-arm64.yml b/taf/docker-compose-taf-arm64.yml index bb4e551..b332dd5 100644 --- a/taf/docker-compose-taf-arm64.yml +++ b/taf/docker-compose-taf-arm64.yml @@ -955,7 +955,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -995,15 +994,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -1616,7 +1615,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -1640,7 +1639,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -2370,6 +2369,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -2390,8 +2391,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/taf/docker-compose-taf-perf-arm64.yml b/taf/docker-compose-taf-perf-arm64.yml index 816cb83..a8e4b2d 100644 --- a/taf/docker-compose-taf-perf-arm64.yml +++ b/taf/docker-compose-taf-perf-arm64.yml @@ -566,7 +566,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -606,15 +605,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -987,7 +986,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -1011,7 +1010,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1741,6 +1740,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1759,8 +1760,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/taf/docker-compose-taf-perf.yml b/taf/docker-compose-taf-perf.yml index fc394d2..d322788 100644 --- a/taf/docker-compose-taf-perf.yml +++ b/taf/docker-compose-taf-perf.yml @@ -566,7 +566,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -606,15 +605,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -987,7 +986,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -1011,7 +1010,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -1741,6 +1740,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -1759,8 +1760,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: diff --git a/taf/docker-compose-taf.yml b/taf/docker-compose-taf.yml index 82607fd..d50e616 100644 --- a/taf/docker-compose-taf.yml +++ b/taf/docker-compose-taf.yml @@ -955,7 +955,6 @@ services: DATABASECONFIG_PATH: /tmp/postgres-init-scripts EDGEX_SECURITY_SECRET_STORE: "true" POSTGRES_DB: edgex_db - POSTGRES_PASSWORD: postgres PROXY_SETUP_HOST: edgex-security-proxy-setup SECRETSTORE_HOST: edgex-secret-store STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper @@ -995,15 +994,15 @@ services: read_only: true bind: create_host_path: true - - type: volume - source: postgres-data - target: /var/lib/postgresql/data - volume: {} - type: volume source: edgex-init target: /edgex-init read_only: true volume: {} + - type: volume + source: db-data + target: /var/lib/postgresql/data + volume: {} - type: bind source: /tmp/edgex/secrets/security-bootstrapper-postgres target: /tmp/edgex/secrets/security-bootstrapper-postgres @@ -1616,7 +1615,7 @@ services: deploy: resources: limits: - memory: "2108837330944" + memory: "6353502339072" entrypoint: - /edgex-init/secretstore_wait_install.sh environment: @@ -1640,7 +1639,7 @@ services: STAGEGATE_WAITFOR_TIMEOUT: 60s hostname: edgex-secret-store image: openbao/openbao:2.1 - memswap_limit: "2108837330944" + memswap_limit: "6353502339072" networks: edgex-network: null ports: @@ -2370,6 +2369,8 @@ networks: name: edgex_edgex-network driver: bridge volumes: + db-data: + name: edgex_db-data edgex-init: name: edgex_edgex-init kuiper-connections: @@ -2390,8 +2391,6 @@ volumes: name: edgex_nginx-templates nginx-tls: name: edgex_nginx-tls - postgres-data: - name: edgex_postgres-data secret-store-config: name: edgex_secret-store-config secret-store-file: