Skip to content
🔑 A secure proxy service for managing OneOps secrets.
Branch: master
Clone or download
vn0ytch and sureshg Fix for authentication error (#7)
* Fix for Authentication issue
Latest commit a269814 Apr 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
.mvn/wrapper Update maven wrapper to 3.5.3 May 3, 2018
contrib Auth domain support: Systemd env config update. Jun 18, 2018
docs Secret-Proxy code change to manage secrets from MS and Tekton applica… Mar 20, 2019
src
.gitignore
.looper.yml
CHANGELOG.md Auth domain support: CL and gitignore update Jun 18, 2018
Dockerfile Dockerfile update May 4, 2018
LICENSE Adding license and contributing info. Aug 9, 2017
README.md Secret-Proxy code change to manage secrets from MS and Tekton applica… Mar 20, 2019
mvnw
mvnw.cmd Update maven wrapper to 3.5.3 May 3, 2018
pom.xml Bumped up the version Mar 20, 2019

README.md

🔑 OneOps Secrets Proxy

Maven Central api-doc java-doc changelog

A secure proxy service for managing OneOps secrets.

How to run

Set all the secrets-proxy env vars.

$ ./mvnw clean package
$ java -jar target/secrets-proxy-<version>.jar

Docker

  • Build the secrets-proxy image

     $ git clone https://github.com/oneops/secrets-proxy.git
     $ cd secrets-proxy
     $ docker build -t secrets-proxy:latest .
    
  • Run secrets-proxy image

    Before running make sure you have the proper secrets-proxy env file and all the keystores under /path/to/secrets

     $ docker run -it --rm --name secrets-proxy -p 8443:8443  --env-file=/path/to/secrets/keywhiz-proxy-env  -v /path/to/secrets:/secrets -d secrets-proxy:latest
     $ open https://localhost:8443/apidocs
    
  • Debugging and Logs

    $ docker exec -it secrets-proxy sh
    # cd log/
    # ls -ltrh
    total 48
    drwxr-xr-x    2 root     root        4.0K May  4 23:05 audit
    drwxr-xr-x    2 root     root        4.0K May  4 23:05 access
    -rw-r--r--    1 root     root       39.4K May  4 23:05 keywhiz-proxy.log
    

OneOps Secrets-Proxy Keystores

The following Trust-stores/Keystores are used in Secrets-proxy application.

  • keywhiz_proxy_keystore.p12

    The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.

    • Common Name : keywhiz-proxy.dev.oneops.com
    • Key Password : kwproxy-password
    • Store Password : kwproxy-password
     For production deployment, contact your infosec team to get new TLS server certificate.
    
  • keywhiz_keystore.p12

    The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and automationAllowed=true on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.

    For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.
    
  • keywhiz_truststore.p12

    The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.

     For production deployment, use openssl to create trustore of your keywhiz server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

  • ldap_truststore.p12

    Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.

     For production deployment, use openssl to create trustore of your AD/LDAP server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

Keysync

Keysync is the keywhiz client used on computes to sync secrets. Inorder to build keysync,

# Make sure to install go (https://golang.org/dl/)
# export GOOS=linux
$ mkdir ~/tmp
$ export GOPATH=$HOME/tmp
$ go get -u github.com/square/keysync
$ cd $GOPATH/src/github.com/square/keysync
$ go build -o keysync ./cmd/keysync/
$ ./keysync --help

Generate JOOQ source.

 $ ./mvnw clean package -P generate

Misc

TODO

  • Springboot admin integration.
  • Prometheus metrics integration.
  • X509 Authentication.
  • Feature toggles implementation.
  • Http2/Grpc (May be with JDK 9)
  • JTI claim to maintain list of blacklisted or revoked tokens.

Why we chose Spring Boot

License

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

**Require Java 8 or later

You can’t perform that action at this time.