Skip to content
Permalink
Browse files

Remove secrets from Docker Images (#1191)

* Use $(go env GOPATH)

Use go env GOPATH for situations where the GOPATH environment variable may be unset
https://golang.org/cmd/go/#hdr-GOPATH_environment_variable

* Remove secrets from the docker images

* Bump docker version

* Add secrets to sequencer

* Set permission bits before writing file
  • Loading branch information...
gdbelvin committed Jul 19, 2019
1 parent 3c05089 commit 2aa29cd28a0a9f0e6d82dfc3e8c5d8a3fd991bfd
@@ -92,7 +92,7 @@ NB A default for the Key Transparency server URL is being used here. The default

1. [OpenSSL](https://www.openssl.org/community/binaries.html)
1. [Docker](https://docs.docker.com/engine/installation/)
- Docker Engine 1.13.0+ `docker version -f '{{.Server.APIVersion}}'`
- Docker Engine 1.17.6+ `docker version -f '{{.Server.APIVersion}}'`
- Docker Compose 1.11.0+ `docker-compose --version`

```sh
@@ -12,7 +12,6 @@ RUN go get -tags="mysql" ./cmd/keytransparency-monitor
FROM gcr.io/distroless/base

COPY --from=build /go/bin/keytransparency-monitor /
ADD ./genfiles/* /kt/

ENTRYPOINT ["/keytransparency-monitor"]

@@ -12,7 +12,6 @@ RUN go get -tags="mysql" ./cmd/keytransparency-server
FROM gcr.io/distroless/base

COPY --from=build /go/bin/keytransparency-server /
ADD ./genfiles/* /kt/

ENTRYPOINT ["/keytransparency-server"]

@@ -1,7 +1,7 @@
# Development configuration
# docker-compose up will automatically find and apply this configuration

version: "3"
version: "3.1"
services:
db:
ports:
@@ -1,7 +1,7 @@
# Production configuration
# docker-compose up -f docker-compose.yml docker-compose.prod.yml

version: "3"
version: "3.1"
services:
db:
environment:
@@ -1,4 +1,12 @@
version: "3"
version: "3.1"
secrets:
server.key:
file: ./genfiles/server.key
server.crt:
file: ./genfiles/server.crt
monitor.key:
file: ./genfiles/monitor_sign-key.pem

services:
# Only works when when replicas = 1 for reach monitored service.
# Kubernetes sidecars are needed for replicas > 1.
@@ -117,8 +125,8 @@ services:
- --db=test:zaphod@tcp(db:3306)/test
- --log-url=log-server:8090
- --map-url=map-server:8090
- --tls-key=/kt/server.key
- --tls-cert=/kt/server.crt
- --tls-key=/run/secrets/server.key
- --tls-cert=/run/secrets/server.crt
- --auth-type=insecure-fake
- --alsologtostderr
- --v=1
@@ -129,6 +137,9 @@ services:
interval: 30s
timeout: 10s
retries: 5
secrets:
- server.key
- server.crt

sequencer:
depends_on:
@@ -146,8 +157,8 @@ services:
- --addr=0.0.0.0:8080
- --log-url=log-server:8090
- --map-url=map-server:8090
- --tls-key=/kt/server.key
- --tls-cert=/kt/server.crt
- --tls-key=/run/secrets/server.key
- --tls-cert=/run/secrets/server.crt
- --alsologtostderr
- --v=5
ports:
@@ -158,6 +169,9 @@ services:
interval: 30s
timeout: 10s
retries: 5
secrets:
- server.key
- server.crt

init:
image: gcr.io/key-transparency/init:latest
@@ -185,12 +199,16 @@ services:
- --kt-url=server:8080
- --insecure
- --directoryid=default
- --tls-key=/kt/server.key
- --tls-cert=/kt/server.crt
- --sign-key=/kt/monitor_sign-key.pem
- --tls-key=/run/secrets/server.key
- --tls-cert=/run/secrets/server.crt
- --sign-key=/run/secrets/monitor.key
- --password=towel
- --alsologtostderr
- --v=3
restart: always
ports:
- "8099:8099" # gRPC / HTTPS
secrets:
- server.key
- server.crt
- monitor.key
@@ -15,8 +15,8 @@
# limitations under the License.

# Create output directory.
mkdir -p "${GOPATH}/src/github.com/google/keytransparency/genfiles"
cd "${GOPATH}/src/github.com/google/keytransparency/genfiles"
mkdir -p "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"
cd "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"

INTERACTIVE=1

@@ -39,9 +39,8 @@ DEFAULT_PWD=towel
# Generate monitor signing key-pair:
if ((INTERACTIVE == 1)); then
# Prompts for password:
openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out monitor_sign-key.pem
( umask 377 && openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out monitor_sign-key.pem)
else
openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -passout pass:$DEFAULT_PWD -out monitor_sign-key.pem
( umask 377 && openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -passout pass:$DEFAULT_PWD -out monitor_sign-key.pem )
fi
chmod 600 monitor_sign-key.pem

@@ -23,7 +23,7 @@ while getopts d:a:s: option; do
d) COMMONNAME=${OPTARG};;
a) ADDRESS=${OPTARG};;
s) SAN_DNS=${OPTARG};;
*) echo "usage: ./generate.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;;
*) echo "usage: ./gen_server_keys.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;;
esac
done

@@ -39,13 +39,12 @@ fi
SANEXT="[SAN]\nbasicConstraints=CA:TRUE\nsubjectAltName=@alt_names\n\n${ALTNAMES}"

# Create output directory.
mkdir -p "${GOPATH}/src/github.com/google/keytransparency/genfiles"
cd "${GOPATH}/src/github.com/google/keytransparency/genfiles"
mkdir -p "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"
cd "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"

# Generate TLS keys.
openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
openssl rsa -passin pass:xxxx -in server.pass.key -out server.key
chmod 600 server.key
( umask 377 && openssl rsa -passin pass:xxxx -in server.pass.key -out server.key )
rm server.pass.key
openssl req -new \
-key server.key \
@@ -125,7 +125,7 @@ fi
##### Executing #####
#####################

cd "${GOPATH}/src/github.com/google/keytransparency"
cd "$(go env GOPATH)/src/github.com/google/keytransparency"

# Create keys.
if ((FRONTEND == 1)); then

0 comments on commit 2aa29cd

Please sign in to comment.
You can’t perform that action at this time.