Skip to content

sureshg/secrets-proxy

 
 

Repository files navigation

Kotlin OneOps Secrets Proxy

api-doc java-doc changelog

A secure proxy service for managing OneOps secrets.

OneOps Secrets-Proxy Keystores

The following Trust-stores/Keystores are used in Secrets-proxy application.

  • keywhiz_proxy_keystore.p12

    The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.

    • Common Name : keywhiz-proxy.dev.oneops.com
    • Key Password : kwproxy-password
    • Store Password : kwproxy-password
     For production deployment, contact your infosec team to get new TLS server certificate.
    
  • keywhiz_keystore.p12

    The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and automationAllowed=true on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.

    For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.
    
  • keywhiz_truststore.p12

    The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.

     For production deployment, use openssl to create trustore of your keywhiz server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

  • ldap_truststore.p12

    Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.

     For production deployment, use openssl to create trustore of your AD/LDAP server.
    

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

Docker

  • Build the image

     $ ./mvnw clean package
     $ docker build -t secrets-proxy:1.1.0 .
    
  • Run

     $ docker run -it --rm --name secrets-proxy -p 8443:8443  -e name=Secrets-Proxy -d secrets-proxy:1.1.0
     $ open https://localhost:8443/
    
  • Debugging and Logs

    $ docker exec -it secrets-proxy sh
    # cd log/
    /log # ls -ltrh
    total 64
    drwxr-xr-x    2 root     root        4.0K Aug  9 21:50 audit
    drwxr-xr-x    2 root     root        4.0K Aug  9 21:50 access
    -rw-r--r--    1 root     root       54.0K Aug  9 21:51 keywhiz-proxy.log
    
    set -o allexport
    source conf-file
    set +o allexport
    

Generate JOOQ source.

 $ ./mvnw clean package -P generate
 # $ ./mvnw versions:display-dependency-updates

Misc

TODO

  • Move the automation client to Retrofit.
  • X509 Authentication ??
  • Update to the latest keysync.
  • Feature toggles implementation.
  • Http2/Grpc (May be with JDK 9)
  • JTI claim to maintain list of blacklisted or revoked tokens.
  • Springboot admin integration.

Why we chose Spring Boot


**Require Java 8 or later

Packages

No packages published

Languages

  • Java 97.9%
  • Shell 1.3%
  • Batchfile 0.8%