Skip to content

Commit

Permalink
Add option to encrypt redis password (#302)
Browse files Browse the repository at this point in the history
  • Loading branch information
alexsong93 authored and mhamann committed May 19, 2018
1 parent 86e5fdc commit da17089
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ FROM alpine:latest
# install dependencies
RUN apk --update add \
gcc tar libtool zlib jemalloc jemalloc-dev perl \
ca-certificates wget make musl-dev openssl-dev pcre-dev g++ zlib-dev curl python \
ca-certificates wget make musl-dev openssl-dev openssl pcre-dev g++ zlib-dev curl python \
perl-test-longstring perl-list-moreutils perl-http-message geoip-dev dumb-init jq \
&& update-ca-certificates \
&& rm -rf /var/cache/apk/*
Expand Down
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ docker-run:
docker run --rm --name="apigateway" -p 80:80 -p ${PUBLIC_MANAGEDURL_PORT}:8080 -p 9000:9000 \
-e PUBLIC_MANAGEDURL_HOST=${PUBLIC_MANAGEDURL_HOST} -e PUBLIC_MANAGEDURL_PORT=${PUBLIC_MANAGEDURL_PORT} \
-e REDIS_HOST=${REDIS_HOST} -e REDIS_PORT=${REDIS_PORT} -e REDIS_PASS=${REDIS_PASS} \
-e DECRYPT_REDIS_PASS=${DECRYPT_REDIS_PASS} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e ENCRYPTION_IV=${ENCRYPTION_IV} \
-e TOKEN_GOOGLE_URL=https://www.googleapis.com/oauth2/v3/tokeninfo \
-e TOKEN_FACEBOOK_URL=https://graph.facebook.com/debug_token \
-e TOKEN_GITHUB_URL=https://api.github.com/user \
Expand Down
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ docker run -p 80:80 -p <managedurl_port>:8080 -p 9000:9000 \
openwhisk/apigateway:latest
```

(Optional) The redis password can be passed in encrypted using the `aes-256-cbc` encryption algorithm. To do so, pass in the following environment variables, in addition to the encrypted password:
- `DECRYPT_REDIS_PASS=true`
- `ENCRYPTION_KEY=<32 Byte hex string that was used for encryption>`
- `ENCRYPTION_IV=<16 Byte hex string that was used for encryption>`

## API
- [v2 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v2/management_interface_v2.md)
- [v1 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v1/management_interface_v1.md)
Expand Down
3 changes: 3 additions & 0 deletions api-gateway.conf
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ env TOKEN_GOOGLE_URL;
env TOKEN_FACEBOOK_URL;
env TOKEN_GITHUB_URL;

env ENCRYPTION_KEY;
env ENCRYPTION_IV;


events {
use epoll;
Expand Down
4 changes: 4 additions & 0 deletions init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ log_level=${LOG_LEVEL:-warn}
marathon_host=${MARATHON_HOST}
redis_host=${REDIS_HOST}
redis_port=${REDIS_PORT}
if [ "${DECRYPT_REDIS_PASS}" == "true" ]; then
export REDIS_PASS=$(printf "${REDIS_PASS}\n" | openssl enc -d -K ${ENCRYPTION_KEY} -iv ${ENCRYPTION_IV} -aes-256-cbc -base64)
fi

sleep_duration=${MARATHON_POLL_INTERVAL:-5}
# location for a remote /etc/api-gateway folder.
# i.e s3://api-gateway-config
Expand Down

0 comments on commit da17089

Please sign in to comment.