Skip to content

Latest commit

 

History

History
60 lines (39 loc) · 3.01 KB

vault-proxy.adoc

File metadata and controls

60 lines (39 loc) · 3.01 KB
Raw

Component Server Vault Proxy

Warning
 Component server vault proxy is deprecated since component-runtime-1.34.0 release

Browse the API description using OpenAPI.

A Vault proxy dedicated to the component server allows to safely manage credential encryption when operating in a Cloud environment.

Vault proxy

The Vault Proxy only concerns data marked as @Credential in the component configuration.

This Vault proxy:

  • receives an encrypted payload containing sensitive data from the remote engine, via HTTP.

  • decrypts the data

  • caches in memory the decrypted value of the data for performance reasons.

  • sends unencrypted data to the component server using HTTPS. An SSL certificate can be automatically generated and secures the data.

Adding the Vault Proxy to your Docker Compose

The YAML below is the recommended configuration to enable the Vault Proxy and Component Server to communicate over HTTPS.

Linking the Vault Proxy to the Component Server through HTTPS

When the Vault Proxy is enabled, ensure you configure HTTPS on the Component Server using the following parameters:

talend.component.server.ssl.active

true or false. Indicates if the SSL protocol is enabled.

talend.component.server.ssl.password

Keystore password.

talend.component.server.ssl.keystore.location

Path to Keystore.

talend.component.server.ssl.keystore.alias

Private key/certificate alias.

talend.component.server.ssl.keystore.type

Keystore type.

talend.component.server.ssl.keystore.generation.force

true or false.

talend.component.server.ssl.keystore.generation.command

Specifies if a custom command is to be used to generate the certificate.

talend.component.server.ssl.keypair.algorithm

Encryption algorithm. RSA by default.

talend.component.server.ssl.certificate.dname

Distinguished name.

talend.component.server.ssl.keypair.size

Size of the key. 2048 by default.

talend.component.server.ssl.port

SSL port to use.

Adding extensions to the instance

You can mount a volume in /opt/talend/component-kit-vault-proxy/custom/ and the jars in that folder which will be deployed with the server. Since the server relies on CDI (Apache OpenWebBeans) you can use that technology to enrich it, including JAX-RS endpoints, interceptors etc…​or just libraries needing to be in the JVM.