Skip to content

🔑 A secure proxy service for managing OneOps secrets.

License

Notifications You must be signed in to change notification settings

oneops/secrets-proxy

Repository files navigation

🔑 OneOps Secrets Proxy

Build Maven Central api-doc java-doc changelog

A secure proxy service for managing OneOps secrets.

How to run

Set all the secrets-proxy env vars.

$ ./mvnw clean package
$ java -jar target/secrets-proxy-<version>.jar

Docker

  • Build the secrets-proxy image

     $ git clone https://github.com/oneops/secrets-proxy.git
     $ cd secrets-proxy
     $ docker build -t secrets-proxy:latest .
    
  • Run secrets-proxy image

    Before running make sure you have the proper secrets-proxy env file and all the keystores under /path/to/secrets

     $ docker run -it --rm --name secrets-proxy -p 8443:8443  --env-file=/path/to/secrets/keywhiz-proxy-env  -v /path/to/secrets:/secrets -d secrets-proxy:latest
     $ open https://localhost:8443/apidocs
    
  • Debugging and Logs

    $ docker exec -it secrets-proxy sh
    # cd log/
    # ls -ltrh
    total 48
    drwxr-xr-x    2 root     root        4.0K May  4 23:05 audit
    drwxr-xr-x    2 root     root        4.0K May  4 23:05 access
    -rw-r--r--    1 root     root       39.4K May  4 23:05 keywhiz-proxy.log
    

OneOps Secrets-Proxy Keystores

The following Trust-stores/Keystores are used in Secrets-proxy application.

  • keywhiz_proxy_keystore.p12

    The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.

    • Common Name : keywhiz-proxy.dev.oneops.com
    • Key Password : kwproxy-password
    • Store Password : kwproxy-password
     For production deployment, contact your infosec team to get new TLS server certificate.
    
  • keywhiz_keystore.p12

    The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and automationAllowed=true on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.

    For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.
    
  • keywhiz_truststore.p12

    The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.

     For production deployment, use openssl to create trustore of your keywhiz server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

  • ldap_truststore.p12

    Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.

     For production deployment, use openssl to create trustore of your AD/LDAP server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

Keysync

Keysync is the keywhiz client used on computes to sync secrets. Inorder to build keysync,

# Make sure to install go (https://golang.org/dl/)
# export GOOS=linux
$ mkdir ~/tmp
$ export GOPATH=$HOME/tmp
$ go get -u github.com/square/keysync
$ cd $GOPATH/src/github.com/square/keysync
$ go build -o keysync ./cmd/keysync/
$ ./keysync --help

Generate JOOQ source.

 $ ./mvnw clean package -P generate

Misc

TODO

  • Springboot admin integration.
  • Prometheus metrics integration.
  • X509 Authentication.
  • Feature toggles implementation.
  • Http2/Grpc (May be with JDK 9)
  • JTI claim to maintain list of blacklisted or revoked tokens.

Why we chose Spring Boot

License

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

**Require Java 8 or later