Set all the secrets-proxy env vars.
$ ./mvnw clean package
$ java -jar target/secrets-proxy-<version>.jar-
Build the
secrets-proxyimage$ git clone https://github.com/oneops/secrets-proxy.git $ cd secrets-proxy $ docker build -t secrets-proxy:latest . -
Run
secrets-proxyimageBefore running make sure you have the proper secrets-proxy env file and all the keystores under
/path/to/secrets$ docker run -it --rm --name secrets-proxy -p 8443:8443 --env-file=/path/to/secrets/keywhiz-proxy-env -v /path/to/secrets:/secrets -d secrets-proxy:latest $ open https://localhost:8443/apidocs -
Debugging and Logs
$ docker exec -it secrets-proxy sh # cd log/ # ls -ltrh total 48 drwxr-xr-x 2 root root 4.0K May 4 23:05 audit drwxr-xr-x 2 root root 4.0K May 4 23:05 access -rw-r--r-- 1 root root 39.4K May 4 23:05 keywhiz-proxy.log
The following Trust-stores/Keystores are used in Secrets-proxy application.
-
The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.
- Common Name :
keywhiz-proxy.dev.oneops.com - Key Password :
kwproxy-password - Store Password :
kwproxy-password
For production deployment, contact your infosec team to get new TLS server certificate. - Common Name :
-
The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and
automationAllowed=trueon the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate. -
The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.
For production deployment, use openssl to create trustore of your keywhiz server.or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.
-
Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.
For production deployment, use openssl to create trustore of your AD/LDAP server.or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.
Keysync is the keywhiz client used on computes to sync secrets. Inorder to build keysync,
# Make sure to install go (https://golang.org/dl/)
# export GOOS=linux
$ mkdir ~/tmp
$ export GOPATH=$HOME/tmp
$ go get -u github.com/square/keysync
$ cd $GOPATH/src/github.com/square/keysync
$ go build -o keysync ./cmd/keysync/
$ ./keysync --help $ ./mvnw clean package -P generate- Secrets Tools - https://github.com/oneops/secrets-proxy/releases/tag/tools
- JWT Token Verification - https://jwt.io/
- REST API References
- Springboot admin integration.
- Prometheus metrics integration.
- X509 Authentication.
- Feature toggles implementation.
- Http2/Grpc (May be with JDK 9)
- JTI claim to maintain list of blacklisted or revoked tokens.
- https://twitter.com/springcentral/status/878264199729860608
- https://twitter.com/fintanr/status/877988573399531520
- https://www.jetbrains.com/research/devecosystem-2017/java/ (Check the Web framework section)
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
**Require Java 8 or later