diff --git a/Dockerfile b/Dockerfile index 9962c920..124e2e1b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ FROM alpine:latest # install dependencies RUN apk --update add \ gcc tar libtool zlib jemalloc jemalloc-dev perl \ - ca-certificates wget make musl-dev openssl-dev pcre-dev g++ zlib-dev curl python \ + ca-certificates wget make musl-dev openssl-dev openssl pcre-dev g++ zlib-dev curl python \ perl-test-longstring perl-list-moreutils perl-http-message geoip-dev dumb-init jq \ && update-ca-certificates \ && rm -rf /var/cache/apk/* diff --git a/Makefile b/Makefile index 84110078..d4eee3bb 100644 --- a/Makefile +++ b/Makefile @@ -58,6 +58,7 @@ docker-run: docker run --rm --name="apigateway" -p 80:80 -p ${PUBLIC_MANAGEDURL_PORT}:8080 -p 9000:9000 \ -e PUBLIC_MANAGEDURL_HOST=${PUBLIC_MANAGEDURL_HOST} -e PUBLIC_MANAGEDURL_PORT=${PUBLIC_MANAGEDURL_PORT} \ -e REDIS_HOST=${REDIS_HOST} -e REDIS_PORT=${REDIS_PORT} -e REDIS_PASS=${REDIS_PASS} \ + -e DECRYPT_REDIS_PASS=${DECRYPT_REDIS_PASS} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e ENCRYPTION_IV=${ENCRYPTION_IV} \ -e TOKEN_GOOGLE_URL=https://www.googleapis.com/oauth2/v3/tokeninfo \ -e TOKEN_FACEBOOK_URL=https://graph.facebook.com/debug_token \ -e TOKEN_GITHUB_URL=https://api.github.com/user \ diff --git a/README.md b/README.md index 7b777299..ae8fbf60 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,11 @@ docker run -p 80:80 -p :8080 -p 9000:9000 \ openwhisk/apigateway:latest ``` +(Optional) The redis password can be passed in encrypted using the `aes-256-cbc` encryption algorithm. To do so, pass in the following environment variables, in addition to the encrypted password: +- `DECRYPT_REDIS_PASS=true` +- `ENCRYPTION_KEY=<32 Byte hex string that was used for encryption>` +- `ENCRYPTION_IV=<16 Byte hex string that was used for encryption>` + ## API - [v2 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v2/management_interface_v2.md) - [v1 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v1/management_interface_v1.md) diff --git a/api-gateway.conf b/api-gateway.conf index 0486fd16..64da494e 100644 --- a/api-gateway.conf +++ b/api-gateway.conf @@ -43,6 +43,9 @@ env TOKEN_GOOGLE_URL; env TOKEN_FACEBOOK_URL; env TOKEN_GITHUB_URL; +env ENCRYPTION_KEY; +env ENCRYPTION_IV; + events { use epoll; diff --git a/init.sh b/init.sh index 4c4cd357..c68fe96e 100755 --- a/init.sh +++ b/init.sh @@ -21,6 +21,10 @@ log_level=${LOG_LEVEL:-warn} marathon_host=${MARATHON_HOST} redis_host=${REDIS_HOST} redis_port=${REDIS_PORT} +if [ "${DECRYPT_REDIS_PASS}" == "true" ]; then + export REDIS_PASS=$(printf "${REDIS_PASS}\n" | openssl enc -d -K ${ENCRYPTION_KEY} -iv ${ENCRYPTION_IV} -aes-256-cbc -base64) +fi + sleep_duration=${MARATHON_POLL_INTERVAL:-5} # location for a remote /etc/api-gateway folder. # i.e s3://api-gateway-config