feat(security): kong cert paths are now optional

The kong config options for CertPath, CertFilePath, and KeyFilePath
in configuration.toml are now optional. By default, those values
are now empty. I also cleaned up a single quote situation in the
token provider configuration.toml.

fixes: #2928

Signed-off-by: Beau Frusetta <beau.frusetta@intel.com>

cmd/security-secretstore-setup/res-file-token-provider/configuration.toml

@@ -6,7 +6,7 @@ Protocol = "http"
 Server = "edgex-vault"
 ServerName = ""
 Port = 8200
-CaFilePath = ''
+CaFilePath = ""
 
 [TokenFileProvider]
 PrivilegedTokenPath = "/run/edgex/secrets/tokenprovider/secrets-token.json"

cmd/security-secretstore-setup/res/configuration.toml

@@ -23,10 +23,10 @@ LogLevel = 'DEBUG'
 Protocol = "http"
 Server = "edgex-vault"
 Port = 8200
-CertPath = "v1/secret/edgex/edgex-security-proxy-setup/kong-tls"
+CertPath = ""
 CaFilePath = ""
-CertFilePath = "/tmp/edgex/secrets/edgex-kong/server.crt"
-KeyFilePath = "/tmp/edgex/secrets/edgex-kong/server.key"
+CertFilePath = ""
+KeyFilePath = ""
 TokenFolderPath = "/vault/config/assets"
 TokenFile = "resp-init.json"
 VaultSecretShares = 5

internal/security/secretstore/init.go

@@ -340,36 +340,45 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s
 		os.Exit(1)
 	}
 
-	cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc)
-	existing, err := cert.AlreadyinStore()
-	if err != nil {
-		lc.Error(err.Error())
-		os.Exit(1)
-	}
+	// Was CertPath/CertFilePath/KeyFilePath set in configuration.toml for kong/proxy?
+	if configuration.SecretService.CertPath != "" && configuration.SecretService.CertFilePath != "" && configuration.SecretService.KeyFilePath != "" {
+		// Grab the certificate & check to see if it's already in the secret store
+		cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc)
+		existing, err := cert.AlreadyinStore()
+		if err != nil {
+			lc.Error(err.Error())
+			os.Exit(1)
+		}
 
-	if existing == true {
-		lc.Info("proxy certificate pair are in the secret store already, skip uploading")
-		return false
-	}
+		if existing {
+			lc.Info("proxy certificate pair are in the secret store already, skip uploading")
+			return false
+		}
 
-	lc.Info("proxy certificate pair are not in the secret store yet, uploading them")
-	cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath)
-	if err != nil {
-		lc.Error("failed to get certificate pair from volume")
-		os.Exit(1)
-	}
+		lc.Info("proxy certificate pair are not in the secret store yet, uploading them")
+		cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath)
+		if err != nil {
+			lc.Error("failed to get certificate pair from volume")
+			os.Exit(1)
+		}
 
-	lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store")
+		lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store")
 
-	err = cert.UploadToStore(cp)
-	if err != nil {
-		lc.Error("failed to upload the proxy cert pair into the secret store")
-		lc.Error(err.Error())
-		os.Exit(1)
+		err = cert.UploadToStore(cp)
+		if err != nil {
+			lc.Error("failed to upload the proxy cert pair into the secret store")
+			lc.Error(err.Error())
+			os.Exit(1)
+		}
+
+		lc.Info("proxy certificate pair are uploaded to secret store successfully")
+	} else {
+		lc.Info("proxy certificate pair upload was skipped because cert config value(s) were blank")
 	}
 
-	lc.Info("proxy certificate pair are uploaded to secret store successfully, Vault init done successfully")
+	lc.Info("Vault init done successfully")
 	return false
+
 }
 
 // XXX Collapse addServiceCredential and addDBCredential together by passing in the path or using