Introduction
ZEDEDA Store is a feature of ZEDEDA Cloud that provides an interface to your third-party storage solutions, such as HashiCorp Vault. With it, you can give your edge assets automated and secure access to your licenses, tokens, certificates, passwords, and other sensitive data. Whichever storage solutions you use, even if you have many, you can integrate and manage them all as a cohesive whole within ZEDEDA Cloud.
In ZEDEDA Store, your data are called resources. Each resource is categorized either as a secret or as an artifact.
- Secrets cannot be read in plain text after they have been created.
- Artifacts can be read in plain text.
All resources can be updated after they have been created.
Each store is also classified as either a secret store or an artifact store. The type of store determines the type of the resources in it. For example, when you add a resource to a secret store, that resource becomes a secret.
Note that ZEDEDA Store does not contain your resources directly. It only contains metadata about your resources. Your resources are always stored in your underlying storage solutions, such as Hashicorp Vault. The metadata for the ZEDEDA Store includes the following:
- expires_on
- created_on
- modified_on
- used_by_id
Because ZEDEDA Store does not directly contain your resources, your storage provider is responsible for writing, reading, encrypting, and decrypting your data. Additionally, ZEDEDA will not provision or manage your third-party storage services.
How resources are used
To use a resource, you must add it to one or more of your edge applications by referencing it in your applications’ custom configuration pages. You must have as many copies of that resource in your store as you want to be available to your applications. Each application may use one of them. When an instance of one of those applications is created, it will claim one of the available resources. If all of your resources are in use, new application instances that depend on them will fail to spin up. If an app crashes, its resources are still in use and will be used by the app when it is rebooted. Only deleting an app will free its resources.
Additionally, resources can be configured to expire. If an application instance’s resource expires, that application will continue running. New application instances, however, will fail to boot up. Expiry dates do not reset after a resource has been used and released.
Access to one, or multiple, resources is possible through the custom configuration section. Use either the $datastore.store-name.resource-name statement for one resource or $datastore.store-name.# statement for multiple resources. The ending ‘#’ character references the next available resource.
Prerequisites
- You must have either the SysManager or SysAdmin role in your ZEDEDA Cloud enterprise.
- You have already Onboarded an edge node to ZEDEDA Cloud.
- ZCLI is running.
Use the ZEDEDA CLI to Manage ZEDEDA Store Resources
You can use only the ZCLI to create and manage ZEDEDA Store resources. However, you can use the ZEDEDA GUI to refer to your resources in the custom configuration of edge app types.
Create a resource
zcli datastore create-resource <name> --resource-name=<resource-name> --value=<value> [--title=<title>] [--description=<description>] [--expires-on=<expires-on>]Show a store's resource
zcli datastore show-resource [<name>] [--resource-name=<resource-name>] [--detail]Show the artifact or secret resources
zcli datastore show --dstype=(ARTIFACT-STORE:VAULT | SECRET-STORE:VAULT)Delete a resource
zcli datastore delete-resource <name> --resource-name=<resource-name> [-f]Update a resource
zcli datastore update-resource <name> --resource-name=<resource-name> [--value=<value>] [--title=<title>] [--description=<description>] [--expires-on=<expires-on>]Examples
Secret management example
In this workflow, you’ll create a new secret store, add a secret to it, and then reference that secret in your edge application’s custom configuration.
- Create a new store.
zcli datastore create SECRETS-APP1 --dstype=SECRET-STORE:VAULT --fqdn=https://zededacentral.net --apikey=AKIAIOSFODNN7EXAMPLE --dpath=secret - Create secrets in your new store. Remember that the resource automatically becomes a secret because you are adding it to a secrets store. The value is the binary file of the resource you’re uploading.
zcli datastore create-resource SECRETS-APP1 --resource-name=CLIENT_SECRET --value=MY-SECRET - Reference your secret when you create an edge application in the ZEDEDA GUI, such as a container. For example, check the Add Custom Config Template checkbox, and enter the following text in the Configuration Template field of your edge application. See custom configuration for more details about what you can do with configuration templates.
$datastore.SECRETS-APP1.CLIENT_SECRET
License assignment example
In this workflow, you’ll deploy a new application that requires a license. You'll upload 100 licenses to a store and configure the new application to use that store.
- Create a new store.
zcli datastore create LICENSES-APP1 --dstype=ARTIFACT-STORE:VAULT --apikey=YOUR_API_KEY --apipass=YOUR_API_PASS - Create some artifacts in your new store. Note that the value in the example is the Base64 encoded data or the binary file of the resource you’re uploading.
zcli datastore resource create LICENSES-APP1 LICENSE1 --value=BASE-64-VALUE1 zcli datastore resource create LICENSES-APP1 LICENSE2 --value=BASE-64-VALUE2 zcli datastore resource create LICENSES-APP1 LICENSE3 --value=BASE-64-VALUE3 -
Reference your artifact when you create an edge application in the ZEDEDA GUI, such as a container. For example, check the Add Custom Config Template checkbox, and enter the following text in the Configuration Template field of your edge application. See custom configuration for more details about what you can do with configuration templates. .
$datastore.LICENSES-APP1.#
Note that this example is using the ending ‘#’ character to reference the next available resource out of the many that were created, rather than specifying a specific one.
Next Steps
- Create an edge app image that uses the data store interface you just created.
- Use the ZEDEDA CLI to Manage a Data Store if you need to show, delete, or update a store.