GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → oneops → secrets-proxy

oneops / secrets-proxy

Licence: Apache-2.0 License
🔑 A secure proxy service for managing OneOps secrets.

Programming Languages

java
68154 projects - #9 most used programming language

Labels

spring-bootauthenticationvaultsecret-managementproxy-serversecretskeywhizsecret-distributiononeops

Projects that are alternatives of or similar to secrets-proxy

Keywhiz
A system for distributing and managing secrets
Stars: ✭ 2,452 (+20333.33%)
Mutual labels:  secret-management, secrets, keywhiz, secret-distribution
teller
Cloud native secrets management for developers - never leave your command line for secrets.
Stars: ✭ 998 (+8216.67%)
Mutual labels:  vault, secret-management, secrets
thycotic.secretserver
PowerShell module for automating with Thycotic Secret Server REST API
Stars: ✭ 41 (+241.67%)
Mutual labels:  vault, secret-management, secrets
secrets cli
CLI for storing and reading your secrets via vault
Stars: ✭ 24 (+100%)
Mutual labels:  vault, secret-management, secrets
k8s-vault-webhook
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Stars: ✭ 107 (+791.67%)
Mutual labels:  vault, secret-management, secrets
Helm Secrets
Successor of zendesk/helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere
Stars: ✭ 165 (+1275%)
Mutual labels:  vault, secret-management, secrets
Cryptr
Cryptr: a GUI for Hashicorp's Vault
Stars: ✭ 324 (+2600%)
Mutual labels:  vault, secret-management, secrets
Hashicorp Vault Plugin
Jenkins plugin to populate environment variables from secrets stored in HashiCorp's Vault.
Stars: ✭ 191 (+1491.67%)
Mutual labels:  vault, secret-management, secrets
actions
Load secrets into GitHub Actions
Stars: ✭ 47 (+291.67%)
Mutual labels:  secret-management, secrets
marathon-vault-plugin
Marathon plugin which injects Vault secrets via environment variables
Stars: ✭ 30 (+150%)
Mutual labels:  vault, secret-management
vault-sidecar-injector
Kubernetes admission webhook for secure, seamless and dynamic handling of secrets in your applications
Stars: ✭ 55 (+358.33%)
Mutual labels:  vault, secrets
vault-monkey
Extract secrets from your vault in a multi-machine cluster environment.
Stars: ✭ 12 (+0%)
Mutual labels:  vault, secrets
kubevault
🔐 KubeVault Documentation
Stars: ✭ 210 (+1650%)
Mutual labels:  vault, secret-management
SecureStore
A .NET implementation of the cross-platform SecureStore (symmetrically-encrypted secrets) protocol
Stars: ✭ 62 (+416.67%)
Mutual labels:  secret-management, secrets
Vault Secrets Gen
A Vault secrets plugin for generating high entropy passwords and passphrases.
Stars: ✭ 238 (+1883.33%)
Mutual labels:  vault, secrets
terraform-aws-secrets-manager
Terraform module to create Amazon Secrets Manager resources.
Stars: ✭ 37 (+208.33%)
Mutual labels:  secret-management, secrets
envkey-python
EnvKey's python library. Protect API keys and credentials. Keep configuration in sync.
Stars: ✭ 24 (+100%)
Mutual labels:  secret-management, secrets
lockgit
A CLI tool for storing encrypted data in a git repo
Stars: ✭ 121 (+908.33%)
Mutual labels:  vault, secret-management
argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
Stars: ✭ 404 (+3266.67%)
Mutual labels:  vault, secret-management
Spring Vault
Provides familiar Spring abstractions for HashiCorp Vault
Stars: ✭ 179 (+1391.67%)
Mutual labels:  vault, secrets
View All Similar Projects ➔

🔑 OneOps Secrets Proxy

Maven Central api-doc java-doc changelog

A secure proxy service for managing OneOps secrets.

How to run

Set all the secrets-proxy env vars.

$ ./mvnw clean package
$ java -jar target/secrets-proxy-<version>.jar

Docker

  • Build the secrets-proxy image

     $ git clone https://github.com/oneops/secrets-proxy.git
 $ cd secrets-proxy
 $ docker build -t secrets-proxy:latest .

  • Run secrets-proxy image

    Before running make sure you have the proper secrets-proxy env file and all the keystores under /path/to/secrets

     $ docker run -it --rm --name secrets-proxy -p 8443:8443  --env-file=/path/to/secrets/keywhiz-proxy-env  -v /path/to/secrets:/secrets -d secrets-proxy:latest
 $ open https://localhost:8443/apidocs

  • Debugging and Logs

    $ docker exec -it secrets-proxy sh
# cd log/
# ls -ltrh
total 48
drwxr-xr-x    2 root     root        4.0K May  4 23:05 audit
drwxr-xr-x    2 root     root        4.0K May  4 23:05 access
-rw-r--r--    1 root     root       39.4K May  4 23:05 keywhiz-proxy.log

OneOps Secrets-Proxy Keystores

The following Trust-stores/Keystores are used in Secrets-proxy application.

  • keywhiz_proxy_keystore.p12

    The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.

    • Common Name : keywhiz-proxy.dev.oneops.com
    • Key Password : kwproxy-password
    • Store Password : kwproxy-password
     For production deployment, contact your infosec team to get new TLS server certificate.

  • keywhiz_keystore.p12

    The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and automationAllowed=true on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.

    For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.

  • keywhiz_truststore.p12

    The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.

     For production deployment, use openssl to create trustore of your keywhiz server.

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

  • ldap_truststore.p12

    Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.

     For production deployment, use openssl to create trustore of your AD/LDAP server.

    or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

Keysync

Keysync is the keywhiz client used on computes to sync secrets. Inorder to build keysync,

# Make sure to install go (https://golang.org/dl/)
# export GOOS=linux
$ mkdir ~/tmp
$ export GOPATH=$HOME/tmp
$ go get -u github.com/square/keysync
$ cd $GOPATH/src/github.com/square/keysync
$ go build -o keysync ./cmd/keysync/
$ ./keysync --help

Generate JOOQ source.

 $ ./mvnw clean package -P generate

Misc

TODO

  • Springboot admin integration.
  • Prometheus metrics integration.
  • X509 Authentication.
  • Feature toggles implementation.
  • Http2/Grpc (May be with JDK 9)
  • JTI claim to maintain list of blacklisted or revoked tokens.

Why we chose Spring Boot

License

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

**Require Java 8 or later

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].