You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/05/19 02:43:37 UTC
[GitHub] mhamann closed pull request #302: Add option to encrypt redis
password
mhamann closed pull request #302: Add option to encrypt redis password
URL: https://github.com/apache/incubator-openwhisk-apigateway/pull/302
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/Dockerfile b/Dockerfile
index 9962c92..124e2e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,7 +26,7 @@ FROM alpine:latest
# install dependencies
RUN apk --update add \
gcc tar libtool zlib jemalloc jemalloc-dev perl \
- ca-certificates wget make musl-dev openssl-dev pcre-dev g++ zlib-dev curl python \
+ ca-certificates wget make musl-dev openssl-dev openssl pcre-dev g++ zlib-dev curl python \
perl-test-longstring perl-list-moreutils perl-http-message geoip-dev dumb-init jq \
&& update-ca-certificates \
&& rm -rf /var/cache/apk/*
diff --git a/Makefile b/Makefile
index 8411007..d4eee3b 100644
--- a/Makefile
+++ b/Makefile
@@ -58,6 +58,7 @@ docker-run:
docker run --rm --name="apigateway" -p 80:80 -p ${PUBLIC_MANAGEDURL_PORT}:8080 -p 9000:9000 \
-e PUBLIC_MANAGEDURL_HOST=${PUBLIC_MANAGEDURL_HOST} -e PUBLIC_MANAGEDURL_PORT=${PUBLIC_MANAGEDURL_PORT} \
-e REDIS_HOST=${REDIS_HOST} -e REDIS_PORT=${REDIS_PORT} -e REDIS_PASS=${REDIS_PASS} \
+ -e DECRYPT_REDIS_PASS=${DECRYPT_REDIS_PASS} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e ENCRYPTION_IV=${ENCRYPTION_IV} \
-e TOKEN_GOOGLE_URL=https://www.googleapis.com/oauth2/v3/tokeninfo \
-e TOKEN_FACEBOOK_URL=https://graph.facebook.com/debug_token \
-e TOKEN_GITHUB_URL=https://api.github.com/user \
diff --git a/README.md b/README.md
index 7b77729..ae8fbf6 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,11 @@ docker run -p 80:80 -p <managedurl_port>:8080 -p 9000:9000 \
openwhisk/apigateway:latest
```
+(Optional) The redis password can be passed in encrypted using the `aes-256-cbc` encryption algorithm. To do so, pass in the following environment variables, in addition to the encrypted password:
+- `DECRYPT_REDIS_PASS=true`
+- `ENCRYPTION_KEY=<32 Byte hex string that was used for encryption>`
+- `ENCRYPTION_IV=<16 Byte hex string that was used for encryption>`
+
## API
- [v2 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v2/management_interface_v2.md)
- [v1 Management Interface](https://github.com/openwhisk/openwhisk-apigateway/blob/master/doc/v1/management_interface_v1.md)
diff --git a/api-gateway.conf b/api-gateway.conf
index 0486fd1..64da494 100644
--- a/api-gateway.conf
+++ b/api-gateway.conf
@@ -43,6 +43,9 @@ env TOKEN_GOOGLE_URL;
env TOKEN_FACEBOOK_URL;
env TOKEN_GITHUB_URL;
+env ENCRYPTION_KEY;
+env ENCRYPTION_IV;
+
events {
use epoll;
diff --git a/init.sh b/init.sh
index 4c4cd35..c68fe96 100755
--- a/init.sh
+++ b/init.sh
@@ -21,6 +21,10 @@ log_level=${LOG_LEVEL:-warn}
marathon_host=${MARATHON_HOST}
redis_host=${REDIS_HOST}
redis_port=${REDIS_PORT}
+if [ "${DECRYPT_REDIS_PASS}" == "true" ]; then
+ export REDIS_PASS=$(printf "${REDIS_PASS}\n" | openssl enc -d -K ${ENCRYPTION_KEY} -iv ${ENCRYPTION_IV} -aes-256-cbc -base64)
+fi
+
sleep_duration=${MARATHON_POLL_INTERVAL:-5}
# location for a remote /etc/api-gateway folder.
# i.e s3://api-gateway-config
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services